Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS,MAILING_LIST_MULTI, SPF_PASS,URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 7D5DDC43387 for ; Fri, 4 Jan 2019 07:35:14 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 3BB002184B for ; Fri, 4 Jan 2019 07:35:14 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="trBjU5R9" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726200AbfADHfN (ORCPT ); Fri, 4 Jan 2019 02:35:13 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:39636 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726036AbfADHfM (ORCPT ); Fri, 4 Jan 2019 02:35:12 -0500 Received: from liv.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 0C354EE69 for ; Fri, 4 Jan 2019 18:35:09 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1546587309; bh=dxpHn+heataE1iQ63XsBy2fRuN90CTvCGUmg2oKSYpI=; l=10400; h=Date:From:To:Subject:From; b=trBjU5R9aZ/2MneO0T9zV7ki1bBqrU9N0UN/dTZZ3LHm6BN6Y4hlxxILtZTvkeh98 2OCCkUkHt6CqbEyBSvyXF7a1kR1uNAgtmYs4j+PqJRFCvPUmWOefJ0C/gCbgTHSnnP 20gdnvIZ4ZPlipVCcP6R2V6v2KnuGR6GzEOPTf+M= Received: by liv.coker.com.au (Postfix, from userid 1000) id 333A62D1E81; Fri, 4 Jan 2019 18:35:03 +1100 (AEDT) Date: Fri, 4 Jan 2019 18:35:03 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] last misc stuff Message-ID: <20190104073503.GC11256@aaa.coker.com.au> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org More tiny patches. Note that this and the other 2 patches I just sent are not dependent on each other, please apply any that you like. Index: refpolicy-2.20180701/policy/modules/admin/apt.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc +++ refpolicy-2.20180701/policy/modules/admin/apt.fc @@ -1,9 +1,12 @@ /etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) -ifndef(`distro_redhat',` +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) +/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) + +ifndef(`distro_redhat',` +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) Index: refpolicy-2.20180701/policy/modules/admin/backup.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/backup.te +++ refpolicy-2.20180701/policy/modules/admin/backup.te @@ -65,6 +65,8 @@ auth_read_shadow(backup_t) logging_send_syslog_msg(backup_t) +miscfiles_read_localization(backup_t) + sysnet_read_config(backup_t) userdom_use_user_terminals(backup_t) Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te @@ -317,6 +317,10 @@ optional_policy(` ') optional_policy(` + init_dbus_chat(dpkg_script_t) +') + +optional_policy(` modutils_run(dpkg_script_t, dpkg_roles) ') Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t) fs_getattr_xattr_fs(logrotate_t) fs_list_inotifyfs(logrotate_t) fs_getattr_tmpfs(logrotate_t) +# killall reads nsfs files +fs_read_nsfs_files(logrotate_t) mls_file_read_all_levels(logrotate_t) mls_file_write_all_levels(logrotate_t) Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te @@ -189,7 +189,7 @@ optional_policy(` # allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; -dontaudit groupadd_t self:capability { fsetid sys_tty_config }; +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config }; allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow groupadd_t self:fd use; allow groupadd_t self:fifo_file rw_fifo_file_perms; @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + dbus_system_bus_client(groupadd_t) +') + +optional_policy(` dpkg_use_fds(groupadd_t) dpkg_rw_pipes(groupadd_t) ') @@ -269,6 +273,10 @@ optional_policy(` rpm_rw_pipes(groupadd_t) ') +optional_policy(` + unconfined_use_fds(groupadd_t) +') + ######################################## # # Passwd local policy @@ -446,7 +454,7 @@ optional_policy(` # allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; -dontaudit useradd_t self:capability sys_tty_config; +dontaudit useradd_t self:capability { net_admin sys_tty_config }; allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; allow useradd_t self:fd use; allow useradd_t self:fifo_file rw_fifo_file_perms; @@ -538,6 +546,10 @@ optional_policy(` ') optional_policy(` + dbus_system_bus_client(useradd_t) +') + +optional_policy(` dpkg_use_fds(useradd_t) dpkg_rw_pipes(useradd_t) ') @@ -560,3 +572,7 @@ optional_policy(` rpm_use_fds(useradd_t) rpm_rw_pipes(useradd_t) ') + +optional_policy(` + unconfined_use_fds(useradd_t) +') Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te +++ refpolicy-2.20180701/policy/modules/apps/syncthing.te @@ -63,7 +63,3 @@ userdom_user_content_access_template(syn userdom_use_user_terminals(syncthing_t) -optional_policy(` - # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve() - networkmanager_read_pid_files(syncthing_t) -') Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc @@ -181,6 +181,7 @@ ifdef(`distro_gentoo',` /usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) +/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) @@ -215,6 +216,7 @@ ifdef(`distro_gentoo',` /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) +/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) @@ -319,6 +321,7 @@ ifdef(`distro_gentoo',` /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) Index: refpolicy-2.20180701/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20180701/policy/modules/system/locallogin.te @@ -34,7 +34,7 @@ role system_r types sulogin_t; allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; dontaudit local_login_t self:capability net_admin; -allow local_login_t self:process { setexec setrlimit setsched }; +allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; allow local_login_t self:fd use; allow local_login_t self:fifo_file rw_fifo_file_perms; allow local_login_t self:sock_file read_sock_file_perms; @@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t) miscfiles_read_localization(local_login_t) +userdom_manage_all_users_keys(local_login_t) userdom_spec_domtrans_all_users(local_login_t) userdom_signal_all_users(local_login_t) userdom_search_user_home_content(local_login_t) Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t) files_dontaudit_read_all_symlinks(setfiles_t) fs_getattr_all_xattr_fs(setfiles_t) +fs_getattr_cgroup(setfiles_t) fs_getattr_nfs(setfiles_t) fs_getattr_pstore_dirs(setfiles_t) fs_getattr_pstorefs(setfiles_t) Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, allow dhcpc_t dhcp_state_t:file read_file_perms; manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) +allow dhcpc_t dhcpc_state_t:file map; # create pid file manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t) logging_send_syslog_msg(ifconfig_t) +# dhclient reads /etc/ssl +miscfiles_read_generic_certs(dhcpc_t) miscfiles_read_localization(ifconfig_t) seutil_use_runinit_fds(ifconfig_t) Index: refpolicy-2.20180701/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/udev.te +++ refpolicy-2.20180701/policy/modules/system/udev.te @@ -306,10 +306,6 @@ optional_policy(` ') optional_policy(` - lvm_domtrans(udev_t) -') - -optional_policy(` fstools_domtrans(udev_t) ') @@ -328,6 +324,10 @@ optional_policy(` ') optional_policy(` + iptables_domtrans(udev_t) +') + +optional_policy(` lvm_domtrans(udev_t) ')