Return-Path: <SRS0=0v2g=PN=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,
	SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 44683C43387
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 19:39:24 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id EBBFE222FE
	for <selinux-refpolicy@archiver.kernel.org>; Sat,  5 Jan 2019 19:39:23 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="eJoJBcFr"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726270AbfAETjX (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Sat, 5 Jan 2019 14:39:23 -0500
Received: from mail-qt1-f196.google.com ([209.85.160.196]:36873 "EHLO
        mail-qt1-f196.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726262AbfAETjX (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 5 Jan 2019 14:39:23 -0500
Received: by mail-qt1-f196.google.com with SMTP id t33so43882071qtt.4
        for <selinux-refpolicy@vger.kernel.org>; Sat, 05 Jan 2019 11:39:22 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=RrRPuzmmWyEHGVDgNBp1NEDWH+OxlCUB/MmqrNy9PmU=;
        b=eJoJBcFrZBqrTfuN8V1FNN7+apFzYGWuDYDnvLn4x411KNvu0l7JKM+DEwLWSZW8UR
         rNjvD7k0MR5K//TXK7ayXzVkbdLCfOCT6jkQeb/emOv91F//Aq2tiKIfxLkcoCxrOBXU
         V7KCLcSyuxjEWoQrGwovmpZqvjwl0GePBx7c4=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=RrRPuzmmWyEHGVDgNBp1NEDWH+OxlCUB/MmqrNy9PmU=;
        b=udggNraxNZJJeE1DPC6Y3Wu67qomru9SJwgAFcx+ZFO+8RmtuTLhas1/FgmrjDUvck
         GO8kBVILv2ssUplx+f5kJ76yxjl550hUauylpxeuyPpGBJXVVaYi1IHF/2u4Nc2QjNPX
         HMh7Atx/PkhAhaUFgYjr6Jk8V9V8d+wcpTDiQOyz784CvkeOFqJn/m2p5vnbC3RpqPH3
         MsZ4+4lTwWDJRUR34PpdRSMWvRZanh/PsQ2ZSdfeEO+opBSiUnQZQyZIfERo6M9FR0Zh
         gJfyLNsGHMKIiuVPg0444P5FEhuZaUJqrtr3dhC7G1xuINjbh46vRNZ2HSWm0JA4DYEP
         Izwg==
X-Gm-Message-State: AJcUukcCUJiA4P4Hy3FJohTOvIqPZgmlPTyTvMxm5p65HDQWBlnzKvGO
        2pnVG9ksnPzQgxZSsHNkRENLdRA9Hzk=
X-Google-Smtp-Source: ALg8bN4Nf2wEj7j1YdpImBuXhhRb8yN/lTc6PQv1SNXnRXaowZJh1uLB0AlRUz+0p10S98EpKAtmSQ==
X-Received: by 2002:ad4:42d1:: with SMTP id f17mr55234316qvr.59.1546717161625;
        Sat, 05 Jan 2019 11:39:21 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id z30sm37361978qtz.26.2019.01.05.11.39.21
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Sat, 05 Jan 2019 11:39:21 -0800 (PST)
Subject: Re: [PATCH] misc services patches
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <20190104073357.GB11256@aaa.coker.com.au>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <d632cbef-182d-b5cd-95f1-ed3c9fb0b4a2@ieee.org>
Date:   Sat, 5 Jan 2019 13:34:31 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20190104073357.GB11256@aaa.coker.com.au>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/4/19 2:33 AM, Russell Coker wrote:
> Lots of little patches to services.
> 
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
>   # Local policy
>   #
>   
> -allow boinc_t self:process { setsched setpgid signull sigkill };
> +allow boinc_t self:process { setsched setpgid signull sigkill signal };
>   allow boinc_t self:unix_stream_socket { accept listen };
>   allow boinc_t self:tcp_socket { accept listen };
>   allow boinc_t self:shm create_shm_perms;
> @@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
>   
>   can_exec(boinc_t, boinc_var_lib_t)
>   libs_exec_lib_files(boinc_t)
> +# for mmap of ld.so.cache
> +libs_legacy_use_ld_so(boinc_t)
>   
>   domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>   
>   kernel_read_system_state(boinc_t)
>   kernel_search_vm_sysctl(boinc_t)
>   kernel_read_crypto_sysctls(boinc_t)
> +kernel_read_kernel_sysctls(boinc_t)
>   
>   corenet_all_recvfrom_unlabeled(boinc_t)
>   corenet_all_recvfrom_netlabel(boinc_t)
> @@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
>   logging_send_syslog_msg(boinc_t)
>   
>   miscfiles_read_fonts(boinc_t)
> +miscfiles_read_generic_certs(boinc_t)
>   miscfiles_read_localization(boinc_t)
>   
>   tunable_policy(`boinc_execmem',`
> @@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
>   userdom_getattr_user_ttys(boinc_t)
>   
>   optional_policy(`
> +	# for lsb_release -a
> +	apt_read_cache(boinc_t)
> +	apt_read_db(boinc_t)
> +	dpkg_exec(boinc_t)
> +	dpkg_read_db(boinc_t)
> +
> +	apt_read_cache(boinc_project_t)
> +	apt_read_db(boinc_project_t)
> +	dpkg_exec(boinc_project_t)
> +	dpkg_read_db(boinc_project_t)
> +')
> +
> +optional_policy(`
>   	java_exec(boinc_project_t)
>   ')
> Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
>   # Local policy
>   #
>   
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
>   allow consolekit_t self:process { getsched signal setfscreate };
>   allow consolekit_t self:fifo_file rw_fifo_file_perms;
>   allow consolekit_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
>   kernel_read_system_state(devicekit_t)
>   
>   dev_read_sysfs(devicekit_t)
> +dev_read_rand(devicekit_t)
>   dev_read_urand(devicekit_t)
>   
>   files_read_etc_files(devicekit_t)
> Index: refpolicy-2.20180701/policy/modules/services/dictd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
> +++ refpolicy-2.20180701/policy/modules/services/dictd.te
> @@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
>   userdom_dontaudit_use_unpriv_user_fds(dictd_t)
>   
>   optional_policy(`
> +	dbus_system_bus_client(dictd_t)
> +')
> +
> +optional_policy(`
>   	seutil_sigchld_newrole(dictd_t)
>   ')
>   
> Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
> +++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
>   dev_read_urand(fetchmail_t)
>   
>   files_read_etc_runtime_files(fetchmail_t)
> +files_read_usr_files(fetchmail_t)
>   files_search_tmp(fetchmail_t)
>   files_dontaudit_search_home(fetchmail_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
> @@ -5,3 +5,4 @@
>   /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
>   
>   /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
> +/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.te
> @@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
>   allow gdomap_t self:tcp_socket { listen accept };
>   
>   allow gdomap_t gdomap_var_run_t:file manage_file_perms;
> +# gdomap_var_run_t dir is for chroot
> +allow gdomap_t gdomap_var_run_t:dir search;
>   files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
>   
>   corenet_sendrecv_gdomap_server_packets(gdomap_t)
> @@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
>   auth_use_nsswitch(gdomap_t)
>   
>   logging_send_syslog_msg(gdomap_t)
> +
> +miscfiles_read_localization(gdomap_t)
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
>   
>   fs_getattr_all_fs(irqbalance_t)
>   fs_search_auto_mountpoints(irqbalance_t)
> +fs_search_tmpfs(irqbalance_t)
>   
>   domain_use_interactive_fds(irqbalance_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20180701/policy/modules/services/jabber.te
> @@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
>   allow jabberd_domain self:tcp_socket { accept listen };
>   
>   manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
> +allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
>   
>   kernel_read_system_state(jabberd_domain)
>   
> @@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
>   corenet_tcp_sendrecv_generic_if(jabberd_domain)
>   corenet_tcp_sendrecv_generic_node(jabberd_domain)
>   corenet_tcp_bind_generic_node(jabberd_domain)
> +corenet_udp_bind_generic_node(jabberd_domain)
>   
>   dev_read_urand(jabberd_domain)
>   dev_read_sysfs(jabberd_domain)
> Index: refpolicy-2.20180701/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20180701/policy/modules/services/mon.te
> @@ -161,6 +161,7 @@ optional_policy(`
>   
>   allow mon_local_test_t self:capability sys_admin;
>   allow mon_local_test_t self:fifo_file rw_file_perms;
> +allow mon_local_test_t self:process getsched;
>   
>   can_exec(mon_local_test_t, mon_local_test_exec_t)
>   
> @@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
>   
>   kernel_dontaudit_getattr_core_if(mon_local_test_t)
>   kernel_getattr_proc(mon_local_test_t)
> +# for ps
> +kernel_read_kernel_sysctls(mon_local_test_t)
>   kernel_read_software_raid_state(mon_local_test_t)
>   kernel_read_system_state(mon_local_test_t)
>   
> @@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
>   
>   logging_send_syslog_msg(mon_local_test_t)
>   
> +miscfiles_read_generic_certs(mon_t)
>   miscfiles_read_localization(mon_local_test_t)
>   
>   sysnet_read_config(mon_local_test_t)
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
>   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
>   allow NetworkManager_t self:packet_socket create_socket_perms;
>   allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
>   
>   allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
>   
> Index: refpolicy-2.20180701/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20180701/policy/modules/services/policykit.te
> @@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
>   
>   optional_policy(`
>   	dbus_system_domain(policykit_t, policykit_exec_t)
> +	init_dbus_chat(policykit_t)
>   
>   	userdom_dbus_send_all_users(policykit_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> @@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
>   manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>   manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>   
> +optional_policy(`
> +	init_dbus_chat(postfix_bounce_t)
> +')
> +
>   ########################################
>   #
>   # Cleanup local policy
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -248,6 +248,9 @@ optional_policy(`
>   # sshd_t is the domain for the sshd program.
>   #
>   
> +# for /run/user/UID/bus access, probably pam_systemd.so
> +allow sshd_t self:capability dac_read_search;
> +
>   # so a tunnel can point to another ssh tunnel
>   allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
>   allow sshd_t self:key { search link write };
> Index: refpolicy-2.20180701/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20180701/policy/modules/services/tor.te
> @@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
>   corenet_tcp_sendrecv_all_reserved_ports(tor_t)
>   
>   dev_read_sysfs(tor_t)
> +dev_read_rand(tor_t)
>   dev_read_urand(tor_t)
>   
>   domain_use_interactive_fds(tor_t)
> @@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
>   
>   logging_send_syslog_msg(tor_t)
>   
> +miscfiles_read_generic_certs(tor_t)
>   miscfiles_read_localization(tor_t)
>   
>   tunable_policy(`tor_bind_all_unreserved_ports',`

Merged.

-- 
Chris PeBenito