Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 52BEFC43387 for ; Thu, 3 Jan 2019 23:15:16 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1F32F208E3 for ; Thu, 3 Jan 2019 23:15:16 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="AywWSwua" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726817AbfACXPQ (ORCPT ); Thu, 3 Jan 2019 18:15:16 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:41303 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726815AbfACXPP (ORCPT ); Thu, 3 Jan 2019 18:15:15 -0500 Received: by mail-qt1-f194.google.com with SMTP id l12so38657897qtf.8 for ; Thu, 03 Jan 2019 15:15:14 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:cc:references:from:message-id:date:user-agent :mime-version:in-reply-to:content-language:content-transfer-encoding; bh=hmk/pH0IEWDCA+T3LE7u0XSslJsluUfN0hVCqasBIHE=; b=AywWSwuaviBxFFs2uNHSiqZfpoofdgRPoWSrkPX/rlTV/oMftOF/4fA97p7H1xUkpu bzGAIlIxljDTeWQ3O82FEYAeueaofLxjgNE7D1XS6W2G7eYpjWpxtIpMhMg+vXgVAtxz t4YLPDo1B/fDmKjlnvjeRFoD0+T512dfaVlKo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:cc:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=hmk/pH0IEWDCA+T3LE7u0XSslJsluUfN0hVCqasBIHE=; b=UfK7BkRU1zNKpS+wi09E3vdHdNovDaI0HXrq1yoLOFtPinvnbfEEwugSNQsCr2M5OB QEWhbBFFMbpoi6nFaT7I/oDrDvqoqCoKTuprh18dSqlCwsCVWl+xcPN6TI2xjT/+TUJB wlNBhKRv6ZXu0fqeMl2DHBjDeRSV/7qTXTHkSy/+zxUGFUtW9Er/whAZf/oi4ZzS2TQh njofr8axYD4byhBGgN1/cdhi6Bfq7qkbgL4kk9kYsDub7t6XTBgv3+QN48C/LiqdNDIY 7tdAozzXZRtmefqJHP6gs14sac4qoNXw3r7DNVwdIV/WV2wUbuXZ1bZB+laG013PTtXo locA== X-Gm-Message-State: AA+aEWbKytCZVKLt1An27x4Ws3CUBNMNmufCtC/iIQKVuZ2YSSZksw7b YssxX4zA6l3Isw7/WAQUhhkTV5ROXKI= X-Google-Smtp-Source: AFSGD/UYaK8iRgO/mYeYQcMPoBa8XzfL7FnyPlV87vGGUq/Z74P9vQXPMeD9ICplyedLIPYPS6dvNw== X-Received: by 2002:ac8:296a:: with SMTP id z39mr48995994qtz.264.1546557314091; Thu, 03 Jan 2019 15:15:14 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id b20sm31271119qkb.17.2019.01.03.15.15.13 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 03 Jan 2019 15:15:13 -0800 (PST) Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login To: russell@coker.com.au Cc: selinux-refpolicy@vger.kernel.org References: <20190102084045.GA31076@aaa.coker.com.au> <1772308.Oo6GzzOkXA@xev> From: Chris PeBenito Message-ID: Date: Thu, 3 Jan 2019 17:34:51 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <1772308.Oo6GzzOkXA@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/2/19 8:27 PM, Russell Coker wrote: > Would you like me to resubmit those patches or would you rather just add them > with the changes you suggest? My preference in this case would be resubmit. > On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote: >> On 1/2/19 3:40 AM, Russell Coker wrote: >>> Lots of little things that are self-explanatory. >>> >>> Boinc has some unusual stuff for lsb_release -a and for mmaping >>> ld.so.cache. >>> >>> Remove obsolete policy from syncthing as we have it in >>> sysnet_dns_name_resolve(). >> >> [...] >> >>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te >>> =================================================================== >>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te >>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te >> >> [...] >> >>> @@ -169,7 +173,7 @@ optional_policy(` >>> >>> # >>> >>> allow boinc_project_t self:capability { setgid setuid }; >>> >>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace >>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t >>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid >>> setsched signal signal_perms }; >> This change shouldn't be necessary since signal is already in signal_perms. >> >> [...] >> >>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if >>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if >>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',` >>> >>> ####################################### >>> ## >>> >>> +## relabel the last logins log. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`auth_relabel_lastlog',` >>> + gen_require(` >>> + type lastlog_t; >>> + ') >>> + >>> + logging_search_logs($1) >>> + allow $1 lastlog_t:file { relabelfrom relabelto }; >>> +') >>> + >>> +####################################### >>> +## >>> >>> ## Read and write to the last logins log. >>> ## >>> ## >>> >>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',` >>> >>> ') >>> >>> ######################################## >>> >>> +## >>> +## Manage the last logins log. >>> +## >>> +## >>> +## >>> +## Domain allowed access. >>> +## >>> +## >>> +# >>> +interface(`auth_manage_lastlog',` >>> + gen_require(` >>> + type lastlog_t; >>> + ') >>> + >>> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms }; >> >> The relabel perms shouldn't be in here. I'd say split it into a new >> interface, but you're adding the other interface earlier in the patch. > > -- Chris PeBenito