Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-3.5 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 27F4EC43387 for ; Sat, 5 Jan 2019 19:39:26 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id E5809222FE for ; Sat, 5 Jan 2019 19:39:25 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="QheOWf/b" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726277AbfAETjZ (ORCPT ); Sat, 5 Jan 2019 14:39:25 -0500 Received: from mail-qt1-f193.google.com ([209.85.160.193]:41254 "EHLO mail-qt1-f193.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726262AbfAETjZ (ORCPT ); Sat, 5 Jan 2019 14:39:25 -0500 Received: by mail-qt1-f193.google.com with SMTP id l12so43832987qtf.8 for ; Sat, 05 Jan 2019 11:39:24 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=yHEMEXvfWO/zN0KJforOuG0WAg31UyqiTymxu1Sge54=; b=QheOWf/bbH6RV0aPR8faU1EfnCi+geZDlpGNYdRqNwPR4/EczDLyDNDVtz9VOGDLik Q6a+OP32y+D9/FKpwl1VnlfotlqpylpyhozCXqHB8xgBuSgDoMuylmf/hqMZu2AENEwW CrPCjVXvPbdkq7c5NNIlsM90q7MuUOx3hQMSI= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=yHEMEXvfWO/zN0KJforOuG0WAg31UyqiTymxu1Sge54=; b=PuVkaNezvRLXWaIaFWaC8H+7FKOg7JR12oj9LKGxo+y+suyr8waZecV6gjpE1epeoP 3YCC8qc9OvdsXGt/E1nnMtOW32BX4wemmSvlfY/XQULYTN9VpuKIGKjVvBuiUEVxBPVm nsm+LAOCR2m03y/fud5ftvnN1jJNl8583RGJChVgniw0Mibp030xu24vvoA14aZgL6Gu KWLNU2GIbERbl1+R36ztesaEluyy0TNH2svoEmHl40g42SLVHT6WROKB7oUo1UoYPHYX mndBUFTpUxSpWRWdwaP2oP5IqIXkHPpWiNhigb8PK7j0MDmBSb1KdZm+OMpmP5rMnDDZ z1SQ== X-Gm-Message-State: AA+aEWYdUIsmXZ7py19oFaO44Zl3MvvngQzYmsJ+E5Q+bESZTWFPll4y b9BG2q7+gHuGgrU1/vMqc0Z3ltR/dpE= X-Google-Smtp-Source: ALg8bN6S+ppoh2XEiEv/Yj1uVFuoazgZzqWeQtojmyPV0OirCQMhzFkyvb+6Jk/bMob30QfRL3WB6Q== X-Received: by 2002:ac8:5509:: with SMTP id j9mr51953538qtq.287.1546717163909; Sat, 05 Jan 2019 11:39:23 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id g23sm35102834qta.24.2019.01.05.11.39.23 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Jan 2019 11:39:23 -0800 (PST) Subject: Re: [PATCH] misc interfaces To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190104073312.GA11256@aaa.coker.com.au> From: Chris PeBenito Message-ID: <70440b14-0034-f72f-cbb1-f59a39ca67f7@ieee.org> Date: Sat, 5 Jan 2019 13:39:37 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190104073312.GA11256@aaa.coker.com.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/4/19 2:33 AM, Russell Coker wrote: > This patch has some small interface changes as well as the policy patches to > use the new interfaces. > > Index: refpolicy-2.20180701/policy/modules/admin/apt.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if > +++ refpolicy-2.20180701/policy/modules/admin/apt.if > @@ -171,7 +171,7 @@ interface(`apt_read_cache',` > > files_search_var($1) > allow $1 apt_var_cache_t:dir list_dir_perms; > - allow $1 apt_var_cache_t:file read_file_perms; > + allow $1 apt_var_cache_t:file mmap_read_file_perms; > ') > > ######################################## > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',` > > files_search_var($1) > allow $1 apt_var_cache_t:dir manage_dir_perms; > - allow $1 apt_var_cache_t:file manage_file_perms; > + allow $1 apt_var_cache_t:file { manage_file_perms map }; > ') I dropped these hunks. In general the map should be a separate interface, unless you're arguing that in all cases there should be mmaping. Otherwise the remainder is merged. > ######################################## > Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if > +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if > @@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',` > > allow $1 dpkg_script_tmp_t:file map; > ') > + > +######################################## > +## > +## read dpkg_script_tmp_t links > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_read_script_tmp_links',` > + gen_require(` > + type dpkg_script_tmp_t; > + ') > + > + allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; > +') > Index: refpolicy-2.20180701/policy/modules/services/gpm.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if > +++ refpolicy-2.20180701/policy/modules/services/gpm.if > @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl' > ') > > dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms; > + dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms; > ') > > ######################################## > Index: refpolicy-2.20180701/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',` > > ####################################### > ## > +## relabel the last logins log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_relabel_lastlog',` > + gen_require(` > + type lastlog_t; > + ') > + > + logging_search_logs($1) > + allow $1 lastlog_t:file { relabelfrom relabelto }; > +') > + > +####################################### > +## > ## Read and write to the last logins log. > ## > ## > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',` > ') > > ######################################## > +## > +## Manage the last logins log. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`auth_manage_lastlog',` > + gen_require(` > + type lastlog_t; > + ') > + > + allow $1 lastlog_t:file manage_file_perms; > + logging_rw_generic_log_dirs($1) > +') > + > +######################################## > ## > ## Execute pam programs in the pam domain. > ## > Index: refpolicy-2.20180701/policy/modules/system/raid.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/raid.if > +++ refpolicy-2.20180701/policy/modules/system/raid.if > @@ -48,6 +48,26 @@ interface(`raid_run_mdadm',` > > ######################################## > ## > +## read mdadm pid files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`raid_read_mdadm_pid',` > + gen_require(` > + type mdadm_var_run_t; > + ') > + > + files_search_pids($1) > + allow $1 mdadm_var_run_t:dir list_dir_perms; > + allow $1 mdadm_var_run_t:file read_file_perms; > +') > + > +######################################## > +## > ## Create, read, write, and delete > ## mdadm pid files. > ## > Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if > +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if > @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',` > optional_policy(` > nscd_use($1) > ') > + optional_policy(` > + # for /etc/resolv.conf symlink > + networkmanager_read_pid_files($1) > + ') > > ifdef(`init_systemd',` > optional_policy(` > Index: refpolicy-2.20180701/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20180701/policy/modules/system/modutils.te > @@ -136,6 +136,7 @@ optional_policy(` > # for postinst of a new kernel package > dpkg_manage_script_tmp_files(kmod_t) > dpkg_map_script_tmp_files(kmod_t) > + dpkg_read_script_tmp_links(kmod_t) > ') > > optional_policy(` > Index: refpolicy-2.20180701/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20180701/policy/modules/system/systemd.te > @@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile > # for /etc/mtab > files_manage_etc_symlinks(systemd_tmpfiles_t) > > +fs_getattr_tmpfs(systemd_tmpfiles_t) > +fs_getattr_tmpfs_dirs(systemd_tmpfiles_t) > fs_getattr_xattr_fs(systemd_tmpfiles_t) > > selinux_get_fs_mount(systemd_tmpfiles_t) > selinux_search_fs(systemd_tmpfiles_t) > > +auth_append_lastlog(systemd_tmpfiles_t) > auth_manage_faillog(systemd_tmpfiles_t) > +auth_manage_lastlog(systemd_tmpfiles_t) > auth_manage_login_records(systemd_tmpfiles_t) > auth_manage_var_auth(systemd_tmpfiles_t) > +auth_relabel_lastlog(systemd_tmpfiles_t) > auth_relabel_login_records(systemd_tmpfiles_t) > auth_setattr_login_records(systemd_tmpfiles_t) > > Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te > +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te > @@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t) > mls_file_write_all_levels(bootloader_t) > > term_getattr_all_ttys(bootloader_t) > +term_getattr_generic_ptys(bootloader_t) > term_dontaudit_manage_pty_dirs(bootloader_t) > > corecmd_exec_all_executables(bootloader_t) > @@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_ > domain_use_interactive_fds(bootloader_t) > > files_create_boot_dirs(bootloader_t) > +files_getattr_default_dirs(bootloader_t) > files_manage_boot_files(bootloader_t) > files_manage_boot_symlinks(bootloader_t) > files_read_etc_files(bootloader_t) > @@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade > files_etc_filetrans_etc_runtime(bootloader_t, file) > files_dontaudit_search_home(bootloader_t) > > +fs_list_hugetlbfs(bootloader_t) > fs_mount_fusefs(bootloader_t) > fs_mount_xattr_fs(bootloader_t) > fs_mounton_fusefs(bootloader_t) > @@ -172,7 +175,7 @@ ifdef(`distro_debian',` > > # for apt-cache > apt_read_db(bootloader_t) > - apt_read_cache(bootloader_t) > + apt_manage_cache(bootloader_t) > > dpkg_read_db(bootloader_t) > dpkg_rw_pipes(bootloader_t) > @@ -204,6 +207,10 @@ optional_policy(` > ') > > optional_policy(` > + gpm_getattr_gpmctl(bootloader_t) > +') > + > +optional_policy(` > hal_dontaudit_append_lib_files(bootloader_t) > hal_write_log(bootloader_t) > ') > @@ -230,5 +237,9 @@ optional_policy(` > ') > > optional_policy(` > + raid_read_mdadm_pid(bootloader_t) > +') > + > +optional_policy(` > rpm_rw_pipes(bootloader_t) > ') > -- Chris PeBenito