Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 4F264C43387 for ; Thu, 3 Jan 2019 00:27:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1F4602073F for ; Thu, 3 Jan 2019 00:27:51 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="EYF1YU+r" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1728084AbfACA1v (ORCPT ); Wed, 2 Jan 2019 19:27:51 -0500 Received: from mail-qk1-f196.google.com ([209.85.222.196]:38732 "EHLO mail-qk1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725985AbfACA1u (ORCPT ); Wed, 2 Jan 2019 19:27:50 -0500 Received: by mail-qk1-f196.google.com with SMTP id a1so18853126qkc.5 for ; Wed, 02 Jan 2019 16:27:49 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=y0CuRNCMCYQDUbgMXw4kLb/0X0Wtd0x+6Q2nyAwRfWw=; b=EYF1YU+rt69jDdPgfSqme5jGIm1H8fznwt0DZ2Kp7S+tAVFLHGS5V/i2fcf4F2Yhwz +c6TtJfEkloLJhKGbcYfc1eDlyms9GQte3MDg0cZ9d9vw7gLI5YzG8UNYQEE1JmlqknH 4jUlgfdsyXb8NZUn13h+tejnVKJ6q8hCQ2F/g= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=y0CuRNCMCYQDUbgMXw4kLb/0X0Wtd0x+6Q2nyAwRfWw=; b=l9HOkr0rwJonK1Irw8bJsZDsi+cQ1yGM07c61rBqNd/iit8fobvkpEdSTKRp6WyRoU vQcX1ii0rgE4WaOcCpVn+WTb+UFGXezZRJBVfSG9P89l7ng7Heb6R+lKyFGVNXumVI54 Ixs/M7rnQT9acldkqlJj8ZMOoPRBRBih+szjdVnCzhR76RFfv3sFUCKJvalxJk2na9SR tDZNBXC/OCNWQYsZhLt4BT+ZbvEruLGrkyAGhu8Z0NrQwCE0txiNgxmaCg2okV9vUb9c jvTHDObjB1HBG8LKFyEXFSXL5oNtvchtXyEAHS0PrOIYYnGLqIH8MD+grtPnzbcVlpEV Risw== X-Gm-Message-State: AJcUukeGOnHuszGvACh2S3tKbnyYr6j3wUMb8bdcOPm/8Tzhyaz14s2Q eJ9T6+kRlYnPpH/zlGpSM4WMHtMmIko= X-Google-Smtp-Source: ALg8bN7VezSGrpj7T4fy/uMi76iQO9W3628ABH9ZZ51b68GnlqURmfteukrU/LGbrtZ2MMpokJ0MTQ== X-Received: by 2002:a37:7d85:: with SMTP id y127mr43555630qkc.302.1546475269375; Wed, 02 Jan 2019 16:27:49 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id z8sm21856943qto.45.2019.01.02.16.27.48 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 02 Jan 2019 16:27:49 -0800 (PST) Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190102084045.GA31076@aaa.coker.com.au> From: Chris PeBenito Message-ID: Date: Wed, 2 Jan 2019 18:52:55 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190102084045.GA31076@aaa.coker.com.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/2/19 3:40 AM, Russell Coker wrote: > Lots of little things that are self-explanatory. > > Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache. > > Remove obsolete policy from syncthing as we have it in > sysnet_dns_name_resolve(). > [...] > Index: refpolicy-2.20180701/policy/modules/services/boinc.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te > +++ refpolicy-2.20180701/policy/modules/services/boinc.te [...] > @@ -169,7 +173,7 @@ optional_policy(` > # > > allow boinc_project_t self:capability { setgid setuid }; > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms }; > +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms }; This change shouldn't be necessary since signal is already in signal_perms. [...] > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',` > > ####################################### > ## > +## relabel the last logins log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_relabel_lastlog',` > + gen_require(` > + type lastlog_t; > + ') > + > + logging_search_logs($1) > + allow $1 lastlog_t:file { relabelfrom relabelto }; > +') > + > +####################################### > +## > ## Read and write to the last logins log. > ## > ## > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',` > ') > > ######################################## > +## > +## Manage the last logins log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_manage_lastlog',` > + gen_require(` > + type lastlog_t; > + ') > + > + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms }; The relabel perms shouldn't be in here. I'd say split it into a new interface, but you're adding the other interface earlier in the patch. -- Chris PeBenito