2021-01-20 11:12:13

by Russell Coker

[permalink] [raw]
Subject: [PATCH] misc network patches

Collection of net related patches, ready for inclusion.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210120/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210120/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;

corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
@@ -164,13 +165,14 @@ allow traceroute_t self:capability { net
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;

can_exec(traceroute_t, traceroute_exec_t)

kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)

corecmd_search_bin(traceroute_t)

@@ -205,6 +207,7 @@ auth_use_nsswitch(traceroute_t)

logging_send_syslog_msg(traceroute_t)

+miscfiles_read_generic_certs(traceroute_t)
miscfiles_read_localization(traceroute_t)

userdom_use_inherited_user_terminals(traceroute_t)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)

/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)

ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.3)
# Declarations
#

+## <desc>
+## <p>
+## Determine whether DHCP client
+## can manage samba
+## </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
attribute_role dhcpc_roles;
roleattribute system_r dhcpc_roles;

@@ -175,6 +183,15 @@ ifdef(`init_systemd',`
')

optional_policy(`
+ tunable_policy(`dhcpc_manage_samba',`
+ samba_manage_var_files(dhcpc_t)
+ init_exec_script_files(dhcpc_t)
+ init_get_system_status(dhcpc_t)
+ samba_restart(dhcpc_t)
+ ')
+')
+
+optional_policy(`
avahi_domtrans(dhcpc_t)
')

Index: refpolicy-2.20210120/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20210120/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#
corenet_ib_access_unlabeled_pkeys(staff_t)

+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -36,6 +40,10 @@ optional_policy(`
')

optional_policy(`
+ netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')

@@ -65,6 +73,11 @@ optional_policy(`
')

optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(staff_t)
+')
+
+optional_policy(`
xscreensaver_role(staff_r, staff_t)
')

Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)

#role user_r;

userdom_unpriv_user_template(user)

+tunable_policy(`user_bind_unreserved', `
+ corenet_tcp_bind_all_unreserved_ports(user_t)
+ corenet_udp_bind_all_unreserved_ports(user_t)
+ corenet_tcp_bind_generic_node(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
@@ -25,6 +37,10 @@ optional_policy(`
')

optional_policy(`
+ netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')

@@ -33,6 +49,11 @@ optional_policy(`
')

optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(user_t)
+')
+
+optional_policy(`
xscreensaver_role(user_r, user_t)
')

Index: refpolicy-2.20210120/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.if
+++ refpolicy-2.20210120/policy/modules/services/samba.if
@@ -729,3 +729,22 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+########################################
+## <summary>
+## Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_restart',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service { start stop status reload };
+')
Index: refpolicy-2.20210120/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20210120/policy/modules/system/xdg.if
@@ -921,6 +921,24 @@ interface(`xdg_watch_documents_dirs',`

########################################
## <summary>
+## Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_documents_t type.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
files_runtime_filetrans(mon_t, mon_runtime_t, file)

+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
kernel_read_kernel_sysctls(mon_t)
kernel_read_network_state(mon_t)
kernel_read_system_state(mon_t)
Index: refpolicy-2.20210120/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210120/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
dev_read_urand(mailman_cgi_t)

files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)

term_use_controlling_term(mailman_cgi_t)

Index: refpolicy-2.20210120/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20210120/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi

corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)

dev_read_urand(dkim_milter_t)
# for cpu/online


2021-01-20 14:06:15

by Dominick Grift

[permalink] [raw]
Subject: Re: [PATCH] misc network patches

Russell Coker <[email protected]> writes:

> Collection of net related patches, ready for inclusion.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210120/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20210120/policy/modules/admin/netutils.te
> @@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
> allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
> allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
> allow ping_t self:netlink_route_socket create_netlink_socket_perms;
> +allow ping_t self:icmp_socket create;
>
> corenet_all_recvfrom_netlabel(ping_t)
> corenet_sendrecv_icmp_packets(ping_t)
> @@ -164,13 +165,14 @@ allow traceroute_t self:capability { net
> allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
> allow traceroute_t self:process signal;
> allow traceroute_t self:rawip_socket create_socket_perms;
> -allow traceroute_t self:packet_socket create_socket_perms;
> +allow traceroute_t self:packet_socket { map create_socket_perms };
> allow traceroute_t self:udp_socket create_socket_perms;
>
> can_exec(traceroute_t, traceroute_exec_t)
>
> kernel_read_system_state(traceroute_t)
> kernel_read_network_state(traceroute_t)
> +kernel_search_fs_sysctls(traceroute_t)
>
> corecmd_search_bin(traceroute_t)
>
> @@ -205,6 +207,7 @@ auth_use_nsswitch(traceroute_t)
>
> logging_send_syslog_msg(traceroute_t)
>
> +miscfiles_read_generic_certs(traceroute_t)
> miscfiles_read_localization(traceroute_t)
>
> userdom_use_inherited_user_terminals(traceroute_t)
> Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.fc
> +++ refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
> @@ -27,6 +27,7 @@ ifdef(`distro_debian',`
> /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
>
> /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
>
> ifdef(`distro_redhat',`
> /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te
> @@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.3)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Determine whether DHCP client
> +## can manage samba
> +## </p>
> +## </desc>
> +gen_tunable(dhcpc_manage_samba, false)
> +
> attribute_role dhcpc_roles;
> roleattribute system_r dhcpc_roles;
>
> @@ -175,6 +183,15 @@ ifdef(`init_systemd',`
> ')
>
> optional_policy(`
> + tunable_policy(`dhcpc_manage_samba',`
> + samba_manage_var_files(dhcpc_t)
> + init_exec_script_files(dhcpc_t)
> + init_get_system_status(dhcpc_t)
> + samba_restart(dhcpc_t)
> + ')
> +')
> +
> +optional_policy(`
> avahi_domtrans(dhcpc_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/roles/staff.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
> +++ refpolicy-2.20210120/policy/modules/roles/staff.te
> @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> #
> corenet_ib_access_unlabeled_pkeys(staff_t)
>
> +corenet_tcp_bind_all_unreserved_ports(staff_t)
> +corenet_udp_bind_all_unreserved_ports(staff_t)
> +corenet_tcp_bind_generic_node(staff_t)

staff_t is a "unpriv user" and so "userdom_unpriv_user_template()"
applies to staff_t.

this template has two booleans: user_tcp_server and user_udp_server
these booleans currently allow unpriv users to bind tcp and udp sockets
to generic ports respectively.

This is old, inaccurate and outdated. Instead those booleans should
probably be modernized:

tunable_policy(`user_tcp_server',`
corenet_tcp_bind_generic_node($1_t)
corenet_tcp_bind_all_unreserved_ports($1_t)
')

tunable_policy(`user_udp_server',`
corenet_udp_bind_generic_node($1_t)
corenet_udp_bind_all_unreserved_ports($1_t)
')

> +
> optional_policy(`
> apache_role(staff_r, staff_t)
> ')
> @@ -36,6 +40,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(staff_t)
> +')
> +

This is already (conditionlly) allowed in the userdom_unpriv_user_template()
To make it work requires a boolean to be set to true (i believe)

> +optional_policy(`
> postgresql_role(staff_r, staff_t)
> ')
>
> @@ -65,6 +73,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # for torbrowser-launcher
> + xdg_exec_data(staff_t)

What location is this exactly? ~/.local/bin?

I would associate a "bin_home_t" with ~/.local/bin and only allow that
to be executed, rather than all of ~/.local

But regardless this, or similar rule should apply to
userdom_unpriv_user_template() instead. Use the templates.

> +')
> +
> +optional_policy(`
> xscreensaver_role(staff_r, staff_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
> #
> # Declarations
> #
> +## <desc>
> +## <p>
> +## Allow user to bind all unreserved ports
> +## </p>
> +## </desc>
> +gen_tunable(user_bind_unreserved, false)

Modernize and use the existing user_tcp_server and user_udp_server
booleans in userdom_unpriv_user_template() instead? See above comment.

>
> #role user_r;
>
> userdom_unpriv_user_template(user)
>
> +tunable_policy(`user_bind_unreserved', `
> + corenet_tcp_bind_all_unreserved_ports(user_t)
> + corenet_udp_bind_all_unreserved_ports(user_t)
> + corenet_tcp_bind_generic_node(user_t)
> +')

See above comment about user_tcp_server and user_udp_server booleans in userdom_unpriv_user_template()

> +
> optional_policy(`
> apache_role(user_r, user_t)
> ')
> @@ -25,6 +37,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + netutils_domtrans_ping(user_t)
> +')
> +

This is already allowed conditionally in userdom_unpriv_user_template()
requires a boolean to be set to true to work. Adding this rule would
break that existing model.

> +optional_policy(`
> screen_role_template(user, user_r, user_t)
> ')
>
> @@ -33,6 +49,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # for torbrowser-launcher
> + xdg_exec_data(user_t)
> +')
> +

What location is this exactly? ~/.local/bin?

I would associate a "bin_home_t" with ~/.local/bin and only allow that
to be executed, rather than all of ~/.local

But regardless this, or similar rule should apply to
userdom_unpriv_user_template() instead. Use the templates.

> +optional_policy(`
> xscreensaver_role(user_r, user_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/services/samba.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/samba.if
> +++ refpolicy-2.20210120/policy/modules/services/samba.if
> @@ -729,3 +729,22 @@ interface(`samba_admin',`
> files_list_tmp($1)
> admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
> ')
> +
> +########################################
> +## <summary>
> +## Restart and get status of samba daemon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`samba_restart',`
> + gen_require(`
> + type samba_unit_t;
> + ')
> +
> + allow $1 samba_unit_t:file getattr;
> + allow $1 samba_unit_t:service { start stop status reload };

This interface seems a bit broad

> +')
> Index: refpolicy-2.20210120/policy/modules/system/xdg.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/system/xdg.if
> +++ refpolicy-2.20210120/policy/modules/system/xdg.if
> @@ -921,6 +921,24 @@ interface(`xdg_watch_documents_dirs',`
>
> ########################################
> ## <summary>
> +## Allow executing the xdg data home files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xdg_exec_data',`
> + gen_require(`
> + type xdg_data_t;
> + ')
> +
> + can_exec($1, xdg_data_t)
> +')

It's not very common. Did you add this for ~/.local/bin?

I would probably associate a private "bin_home_t" type with ~/.local/bin

> +
> +########################################
> +## <summary>
> ## Create objects in the user home dir with an automatic type transition to
> ## the xdg_documents_t type.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210120/policy/modules/services/mon.te
> @@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
> manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
> files_runtime_filetrans(mon_t, mon_runtime_t, file)
>
> +# to read fips_enabled
> +kernel_read_crypto_sysctls(mon_t)
> +
> kernel_read_kernel_sysctls(mon_t)
> kernel_read_network_state(mon_t)
> kernel_read_system_state(mon_t)
> Index: refpolicy-2.20210120/policy/modules/services/mailman.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mailman.te
> +++ refpolicy-2.20210120/policy/modules/services/mailman.te
> @@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
> dev_read_urand(mailman_cgi_t)
>
> files_search_locks(mailman_cgi_t)
> +files_read_usr_files(mailman_cgi_t)
>
> term_use_controlling_term(mailman_cgi_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/dkim.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/dkim.te
> +++ refpolicy-2.20210120/policy/modules/services/dkim.te
> @@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
>
> corenet_udp_bind_generic_node(dkim_milter_t)
> corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
> +corenet_udp_bind_generic_port(dkim_milter_t)
>
> dev_read_urand(dkim_milter_t)
> # for cpu/online
>

--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

2021-01-27 08:35:58

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] misc network patches

On Thursday, 21 January 2021 12:23:29 AM AEDT Dominick Grift wrote:
> > Index: refpolicy-2.20210120/policy/modules/roles/staff.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
> > +++ refpolicy-2.20210120/policy/modules/roles/staff.te
> > @@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
> >
> > #
> > corenet_ib_access_unlabeled_pkeys(staff_t)
> >
> > +corenet_tcp_bind_all_unreserved_ports(staff_t)
> > +corenet_udp_bind_all_unreserved_ports(staff_t)
> > +corenet_tcp_bind_generic_node(staff_t)
>
> staff_t is a "unpriv user" and so "userdom_unpriv_user_template()"
> applies to staff_t.

OK, I'll remove that.

> this template has two booleans: user_tcp_server and user_udp_server
> these booleans currently allow unpriv users to bind tcp and udp sockets
> to generic ports respectively.
>
> This is old, inaccurate and outdated. Instead those booleans should
> probably be modernized:
>
> tunable_policy(`user_tcp_server',`
> corenet_tcp_bind_generic_node($1_t)
> corenet_tcp_bind_all_unreserved_ports($1_t)
> ')
>
> tunable_policy(`user_udp_server',`
> corenet_udp_bind_generic_node($1_t)
> corenet_udp_bind_all_unreserved_ports($1_t)
> ')

Unreserved ports means all ports >1023. I don't think that's what we want.
There are lots of daemons using ports >1023, many of which are IANA assigned.

> > optional_policy(`
> >
> > apache_role(staff_r, staff_t)
> >
> > ')
> >
> > @@ -36,6 +40,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + netutils_domtrans_ping(staff_t)
> > +')
> > +
>
> This is already (conditionlly) allowed in the userdom_unpriv_user_template()
> To make it work requires a boolean to be set to true (i believe)

OK, I'll remove that.

> > +optional_policy(`
> >
> > postgresql_role(staff_r, staff_t)
> >
> > ')
> >
> > @@ -65,6 +73,11 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + # for torbrowser-launcher
> > + xdg_exec_data(staff_t)
>
> What location is this exactly? ~/.local/bin?

~/.local/share/torbrowser/tbb/x86_64/tor-browser_en-US/Browser/

> I would associate a "bin_home_t" with ~/.local/bin and only allow that
> to be executed, rather than all of ~/.local
>
> But regardless this, or similar rule should apply to
> userdom_unpriv_user_template() instead. Use the templates.

OK, I'll remove it for now.

> > +')
> > +
> > +optional_policy(`
> >
> > xscreensaver_role(staff_r, staff_t)
> >
> > ')
> >
> > Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
> > +++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
> > @@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
> >
> > #
> > # Declarations
> > #
> >
> > +## <desc>
> > +## <p>
> > +## Allow user to bind all unreserved ports
> > +## </p>
> > +## </desc>
> > +gen_tunable(user_bind_unreserved, false)
>
> Modernize and use the existing user_tcp_server and user_udp_server
> booleans in userdom_unpriv_user_template() instead? See above comment.

OK.

> > #role user_r;
> >
> > userdom_unpriv_user_template(user)
> >
> > +tunable_policy(`user_bind_unreserved', `
> > + corenet_tcp_bind_all_unreserved_ports(user_t)
> > + corenet_udp_bind_all_unreserved_ports(user_t)
> > + corenet_tcp_bind_generic_node(user_t)
> > +')
>
> See above comment about user_tcp_server and user_udp_server booleans in
> userdom_unpriv_user_template()

OK.

> > ')
> >
> > @@ -25,6 +37,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + netutils_domtrans_ping(user_t)
> > +')
> > +
>
> This is already allowed conditionally in userdom_unpriv_user_template()
> requires a boolean to be set to true to work. Adding this rule would
> break that existing model.

OK.

> > +########################################
> > +## <summary>
> > +## Restart and get status of samba daemon
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed access.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`samba_restart',`
> > + gen_require(`
> > + type samba_unit_t;
> > + ')
> > +
> > + allow $1 samba_unit_t:file getattr;
> > + allow $1 samba_unit_t:service { start stop status reload };
>
> This interface seems a bit broad

OK.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/