Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 44683C43387 for ; Sat, 5 Jan 2019 19:39:24 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id EBBFE222FE for ; Sat, 5 Jan 2019 19:39:23 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="eJoJBcFr" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726270AbfAETjX (ORCPT ); Sat, 5 Jan 2019 14:39:23 -0500 Received: from mail-qt1-f196.google.com ([209.85.160.196]:36873 "EHLO mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726262AbfAETjX (ORCPT ); Sat, 5 Jan 2019 14:39:23 -0500 Received: by mail-qt1-f196.google.com with SMTP id t33so43882071qtt.4 for ; Sat, 05 Jan 2019 11:39:22 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=RrRPuzmmWyEHGVDgNBp1NEDWH+OxlCUB/MmqrNy9PmU=; b=eJoJBcFrZBqrTfuN8V1FNN7+apFzYGWuDYDnvLn4x411KNvu0l7JKM+DEwLWSZW8UR rNjvD7k0MR5K//TXK7ayXzVkbdLCfOCT6jkQeb/emOv91F//Aq2tiKIfxLkcoCxrOBXU V7KCLcSyuxjEWoQrGwovmpZqvjwl0GePBx7c4= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=RrRPuzmmWyEHGVDgNBp1NEDWH+OxlCUB/MmqrNy9PmU=; b=udggNraxNZJJeE1DPC6Y3Wu67qomru9SJwgAFcx+ZFO+8RmtuTLhas1/FgmrjDUvck GO8kBVILv2ssUplx+f5kJ76yxjl550hUauylpxeuyPpGBJXVVaYi1IHF/2u4Nc2QjNPX HMh7Atx/PkhAhaUFgYjr6Jk8V9V8d+wcpTDiQOyz784CvkeOFqJn/m2p5vnbC3RpqPH3 MsZ4+4lTwWDJRUR34PpdRSMWvRZanh/PsQ2ZSdfeEO+opBSiUnQZQyZIfERo6M9FR0Zh gJfyLNsGHMKIiuVPg0444P5FEhuZaUJqrtr3dhC7G1xuINjbh46vRNZ2HSWm0JA4DYEP Izwg== X-Gm-Message-State: AJcUukcCUJiA4P4Hy3FJohTOvIqPZgmlPTyTvMxm5p65HDQWBlnzKvGO 2pnVG9ksnPzQgxZSsHNkRENLdRA9Hzk= X-Google-Smtp-Source: ALg8bN4Nf2wEj7j1YdpImBuXhhRb8yN/lTc6PQv1SNXnRXaowZJh1uLB0AlRUz+0p10S98EpKAtmSQ== X-Received: by 2002:ad4:42d1:: with SMTP id f17mr55234316qvr.59.1546717161625; Sat, 05 Jan 2019 11:39:21 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id z30sm37361978qtz.26.2019.01.05.11.39.21 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Jan 2019 11:39:21 -0800 (PST) Subject: Re: [PATCH] misc services patches To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190104073357.GB11256@aaa.coker.com.au> From: Chris PeBenito Message-ID: Date: Sat, 5 Jan 2019 13:34:31 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190104073357.GB11256@aaa.coker.com.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/4/19 2:33 AM, Russell Coker wrote: > Lots of little patches to services. > > Index: refpolicy-2.20180701/policy/modules/services/boinc.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te > +++ refpolicy-2.20180701/policy/modules/services/boinc.te > @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t) > # Local policy > # > > -allow boinc_t self:process { setsched setpgid signull sigkill }; > +allow boinc_t self:process { setsched setpgid signull sigkill signal }; > allow boinc_t self:unix_stream_socket { accept listen }; > allow boinc_t self:tcp_socket { accept listen }; > allow boinc_t self:shm create_shm_perms; > @@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log > > can_exec(boinc_t, boinc_var_lib_t) > libs_exec_lib_files(boinc_t) > +# for mmap of ld.so.cache > +libs_legacy_use_ld_so(boinc_t) > > domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t) > > kernel_read_system_state(boinc_t) > kernel_search_vm_sysctl(boinc_t) > kernel_read_crypto_sysctls(boinc_t) > +kernel_read_kernel_sysctls(boinc_t) > > corenet_all_recvfrom_unlabeled(boinc_t) > corenet_all_recvfrom_netlabel(boinc_t) > @@ -142,6 +145,7 @@ init_read_utmp(boinc_t) > logging_send_syslog_msg(boinc_t) > > miscfiles_read_fonts(boinc_t) > +miscfiles_read_generic_certs(boinc_t) > miscfiles_read_localization(boinc_t) > > tunable_policy(`boinc_execmem',` > @@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t) > userdom_getattr_user_ttys(boinc_t) > > optional_policy(` > + # for lsb_release -a > + apt_read_cache(boinc_t) > + apt_read_db(boinc_t) > + dpkg_exec(boinc_t) > + dpkg_read_db(boinc_t) > + > + apt_read_cache(boinc_project_t) > + apt_read_db(boinc_project_t) > + dpkg_exec(boinc_project_t) > + dpkg_read_db(boinc_project_t) > +') > + > +optional_policy(` > java_exec(boinc_project_t) > ') > Index: refpolicy-2.20180701/policy/modules/services/consolekit.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te > +++ refpolicy-2.20180701/policy/modules/services/consolekit.te > @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_ > # Local policy > # > > -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; > +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config }; > allow consolekit_t self:process { getsched signal setfscreate }; > allow consolekit_t self:fifo_file rw_fifo_file_perms; > allow consolekit_t self:unix_stream_socket { accept listen }; > Index: refpolicy-2.20180701/policy/modules/services/devicekit.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te > +++ refpolicy-2.20180701/policy/modules/services/devicekit.te > @@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek > kernel_read_system_state(devicekit_t) > > dev_read_sysfs(devicekit_t) > +dev_read_rand(devicekit_t) > dev_read_urand(devicekit_t) > > files_read_etc_files(devicekit_t) > Index: refpolicy-2.20180701/policy/modules/services/dictd.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/dictd.te > +++ refpolicy-2.20180701/policy/modules/services/dictd.te > @@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t) > userdom_dontaudit_use_unpriv_user_fds(dictd_t) > > optional_policy(` > + dbus_system_bus_client(dictd_t) > +') > + > +optional_policy(` > seutil_sigchld_newrole(dictd_t) > ') > > Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te > +++ refpolicy-2.20180701/policy/modules/services/fetchmail.te > @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t) > dev_read_urand(fetchmail_t) > > files_read_etc_runtime_files(fetchmail_t) > +files_read_usr_files(fetchmail_t) > files_search_tmp(fetchmail_t) > files_dontaudit_search_home(fetchmail_t) > > Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc > +++ refpolicy-2.20180701/policy/modules/services/gdomap.fc > @@ -5,3 +5,4 @@ > /usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0) > > /run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0) > +/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0) > Index: refpolicy-2.20180701/policy/modules/services/gdomap.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te > +++ refpolicy-2.20180701/policy/modules/services/gdomap.te > @@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin > allow gdomap_t self:tcp_socket { listen accept }; > > allow gdomap_t gdomap_var_run_t:file manage_file_perms; > +# gdomap_var_run_t dir is for chroot > +allow gdomap_t gdomap_var_run_t:dir search; > files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid") > > corenet_sendrecv_gdomap_server_packets(gdomap_t) > @@ -44,3 +46,5 @@ files_search_tmp(gdomap_t) > auth_use_nsswitch(gdomap_t) > > logging_send_syslog_msg(gdomap_t) > + > +miscfiles_read_localization(gdomap_t) > Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te > +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te > @@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_ > > fs_getattr_all_fs(irqbalance_t) > fs_search_auto_mountpoints(irqbalance_t) > +fs_search_tmpfs(irqbalance_t) > > domain_use_interactive_fds(irqbalance_t) > > Index: refpolicy-2.20180701/policy/modules/services/jabber.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/jabber.te > +++ refpolicy-2.20180701/policy/modules/services/jabber.te > @@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f > allow jabberd_domain self:tcp_socket { accept listen }; > > manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t) > +allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms; > > kernel_read_system_state(jabberd_domain) > > @@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do > corenet_tcp_sendrecv_generic_if(jabberd_domain) > corenet_tcp_sendrecv_generic_node(jabberd_domain) > corenet_tcp_bind_generic_node(jabberd_domain) > +corenet_udp_bind_generic_node(jabberd_domain) > > dev_read_urand(jabberd_domain) > dev_read_sysfs(jabberd_domain) > Index: refpolicy-2.20180701/policy/modules/services/mon.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/mon.te > +++ refpolicy-2.20180701/policy/modules/services/mon.te > @@ -161,6 +161,7 @@ optional_policy(` > > allow mon_local_test_t self:capability sys_admin; > allow mon_local_test_t self:fifo_file rw_file_perms; > +allow mon_local_test_t self:process getsched; > > can_exec(mon_local_test_t, mon_local_test_exec_t) > > @@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m > > kernel_dontaudit_getattr_core_if(mon_local_test_t) > kernel_getattr_proc(mon_local_test_t) > +# for ps > +kernel_read_kernel_sysctls(mon_local_test_t) > kernel_read_software_raid_state(mon_local_test_t) > kernel_read_system_state(mon_local_test_t) > > @@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t) > > logging_send_syslog_msg(mon_local_test_t) > > +miscfiles_read_generic_certs(mon_t) > miscfiles_read_localization(mon_local_test_t) > > sysnet_read_config(mon_local_test_t) > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket { > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto }; > allow NetworkManager_t self:packet_socket create_socket_perms; > allow NetworkManager_t self:socket create_socket_perms; > +allow NetworkManager_t self:rawip_socket { create setopt getattr write read }; > > allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto; > > Index: refpolicy-2.20180701/policy/modules/services/policykit.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/policykit.te > +++ refpolicy-2.20180701/policy/modules/services/policykit.te > @@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t > > optional_policy(` > dbus_system_domain(policykit_t, policykit_exec_t) > + init_dbus_chat(policykit_t) > > userdom_dbus_send_all_users(policykit_t) > > Index: refpolicy-2.20180701/policy/modules/services/postfix.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te > +++ refpolicy-2.20180701/policy/modules/services/postfix.te > @@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po > manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) > manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t) > > +optional_policy(` > + init_dbus_chat(postfix_bounce_t) > +') > + > ######################################## > # > # Cleanup local policy > Index: refpolicy-2.20180701/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20180701/policy/modules/services/ssh.te > @@ -248,6 +248,9 @@ optional_policy(` > # sshd_t is the domain for the sshd program. > # > > +# for /run/user/UID/bus access, probably pam_systemd.so > +allow sshd_t self:capability dac_read_search; > + > # so a tunnel can point to another ssh tunnel > allow sshd_t self:netlink_route_socket r_netlink_socket_perms; > allow sshd_t self:key { search link write }; > Index: refpolicy-2.20180701/policy/modules/services/tor.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/tor.te > +++ refpolicy-2.20180701/policy/modules/services/tor.te > @@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t) > corenet_tcp_sendrecv_all_reserved_ports(tor_t) > > dev_read_sysfs(tor_t) > +dev_read_rand(tor_t) > dev_read_urand(tor_t) > > domain_use_interactive_fds(tor_t) > @@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t) > > logging_send_syslog_msg(tor_t) > > +miscfiles_read_generic_certs(tor_t) > miscfiles_read_localization(tor_t) > > tunable_policy(`tor_bind_all_unreserved_ports',` Merged. -- Chris PeBenito