Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS, URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id C043CC43387 for ; Thu, 3 Jan 2019 01:27:22 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 87FEE20815 for ; Thu, 3 Jan 2019 01:27:21 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="be2rjNqs" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726072AbfACB1V (ORCPT ); Wed, 2 Jan 2019 20:27:21 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:50908 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726049AbfACB1V (ORCPT ); Wed, 2 Jan 2019 20:27:21 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 45FF0F00E; Thu, 3 Jan 2019 12:27:19 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546478839; bh=4hxpJe4Q5INuDHQWDTNfFkEeCV5L+6b50N0mN0OjI+0=; l=2834; h=From:To:Reply-To:Cc:Subject:Date:In-Reply-To:References:From; b=be2rjNqs5oF1WirjMLWBtC0tTtywEpSZxW9pM4cpGW7T+3yDd/mO+lJGlLRVn4zLf mwf4jP5ttztvPUnmLpPbEjDUOtC8QnmmghiowS760SZKYSnReq4B676YZ1kncG3F8t Os2n4KtKVUdSihRFfizUixqbg+C1q9tPEH+5RQmw= Received: by xev.coker.com.au (Postfix, from userid 1001) id A79F8C3718B; Thu, 3 Jan 2019 12:27:14 +1100 (AEDT) From: Russell Coker To: Chris PeBenito Reply-To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login Date: Thu, 03 Jan 2019 12:27:14 +1100 Message-ID: <1772308.Oo6GzzOkXA@xev> In-Reply-To: References: <20190102084045.GA31076@aaa.coker.com.au> MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Would you like me to resubmit those patches or would you rather just add them with the changes you suggest? On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote: > On 1/2/19 3:40 AM, Russell Coker wrote: > > Lots of little things that are self-explanatory. > > > > Boinc has some unusual stuff for lsb_release -a and for mmaping > > ld.so.cache. > > > > Remove obsolete policy from syncthing as we have it in > > sysnet_dns_name_resolve(). > > [...] > > > Index: refpolicy-2.20180701/policy/modules/services/boinc.te > > =================================================================== > > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te > > +++ refpolicy-2.20180701/policy/modules/services/boinc.te > > [...] > > > @@ -169,7 +173,7 @@ optional_policy(` > > > > # > > > > allow boinc_project_t self:capability { setgid setuid }; > > > > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace > > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t > > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid > > setsched signal signal_perms }; > This change shouldn't be necessary since signal is already in signal_perms. > > [...] > > > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if > > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if > > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',` > > > > ####################################### > > ## > > > > +## relabel the last logins log. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`auth_relabel_lastlog',` > > + gen_require(` > > + type lastlog_t; > > + ') > > + > > + logging_search_logs($1) > > + allow $1 lastlog_t:file { relabelfrom relabelto }; > > +') > > + > > +####################################### > > +## > > > > ## Read and write to the last logins log. > > ## > > ## > > > > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',` > > > > ') > > > > ######################################## > > > > +## > > +## Manage the last logins log. > > +## > > +## > > +## > > +## Domain allowed access. > > +## > > +## > > +# > > +interface(`auth_manage_lastlog',` > > + gen_require(` > > + type lastlog_t; > > + ') > > + > > + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms }; > > The relabel perms shouldn't be in here. I'd say split it into a new > interface, but you're adding the other interface earlier in the patch. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/