Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.8 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS,MAILING_LIST_MULTI, SPF_PASS,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 946A4C43387 for ; Fri, 11 Jan 2019 10:30:50 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 55DF920874 for ; Fri, 11 Jan 2019 10:30:50 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="t6sIru15" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1731763AbfAKKau (ORCPT ); Fri, 11 Jan 2019 05:30:50 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:45948 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1725807AbfAKKau (ORCPT ); Fri, 11 Jan 2019 05:30:50 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id F1395EFE9 for ; Fri, 11 Jan 2019 21:30:47 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1547202648; bh=U6EhQ+kgH8FlgtjdIdmWMmTIdEtB+a5tOa0LLqCu2EI=; l=6075; h=Date:From:To:Subject:From; b=t6sIru15UqA3V58JNHJ4J7uKNE5x+dgXmu72wbovdbBB3Z9XResuNeG0HEYxe5L5u 3ShCwhkcfhS4QbzOcxUCNkzw6JXF3c6kSfPJExtHDfZ0i069rlCA5J/AsBAjH6JvQr deG94oZfiThNZYHwz49+JqI8ugnX4oR/fVFEFnAw= Received: by xev.coker.com.au (Postfix, from userid 1001) id 2A48FC484B3; Fri, 11 Jan 2019 21:30:43 +1100 (AEDT) Date: Fri, 11 Jan 2019 21:30:43 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] some little stuff Message-ID: <20190111103043.GA22910@xev> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline User-Agent: Mutt/1.10.1 (2018-07-13) Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Tiny and I think they are all obvious. Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te @@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t mount_rw_runtime_files(bootloader_t) +selinux_getattr_fs(bootloader_t) seutil_read_bin_policy(bootloader_t) +seutil_read_file_contexts(bootloader_t) seutil_read_loadpolicy(bootloader_t) seutil_dontaudit_search_config(bootloader_t) Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t; # Local policy # -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; +# sys_ptrace is for systemctl +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource }; # systemctl asks for net_admin dontaudit logrotate_t self:capability net_admin; allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; Index: refpolicy-2.20180701/policy/modules/services/dhcp.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te +++ refpolicy-2.20180701/policy/modules/services/dhcp.te @@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t) logging_send_syslog_msg(dhcpd_t) +miscfiles_read_generic_certs(dhcpd_t) miscfiles_read_localization(dhcpd_t) sysnet_read_dhcp_config(dhcpd_t) Index: refpolicy-2.20180701/policy/modules/services/ssh.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te +++ refpolicy-2.20180701/policy/modules/services/ssh.te @@ -333,6 +333,7 @@ optional_policy(` optional_policy(` xserver_domtrans_xauth(sshd_t) + xserver_link_xdm_keys(sshd_t) ') ######################################## Index: refpolicy-2.20180701/policy/modules/services/xserver.if =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/xserver.if +++ refpolicy-2.20180701/policy/modules/services/xserver.if @@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',` ######################################## ## +## Manage keys for xdm. +## +## +## +## Domain allowed access. +## +## +# +interface(`xserver_link_xdm_keys',` + gen_require(` + type xdm_t; + ') + + allow $1 xdm_t:key link; +') + +######################################## +## ## Read and write the mesa shader cache. ## ## Index: refpolicy-2.20180701/policy/modules/services/xserver.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te +++ refpolicy-2.20180701/policy/modules/services/xserver.te @@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache") xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache") +# for writing to ~/.local/share/sddm/xorg-session.log +xdg_manage_data(xauth_t) + domtrans_pattern(xserver_t, xauth_exec_t, xauth_t) allow xserver_t xauth_home_t:file read_file_perms; Index: refpolicy-2.20180701/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te +++ refpolicy-2.20180701/policy/modules/system/systemd.te @@ -337,6 +337,10 @@ optional_policy(` networkmanager_dbus_chat(systemd_hostnamed_t) ') +optional_policy(` + unconfined_dbus_send(systemd_hostnamed_t) +') + ######################################### # # hw local policy @@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t) dev_rw_sysfs(systemd_logind_t) dev_setattr_dri_dev(systemd_logind_t) dev_setattr_generic_usb_dev(systemd_logind_t) +dev_setattr_input_dev(systemd_logind_t) dev_setattr_kvm_dev(systemd_logind_t) dev_setattr_sound_dev(systemd_logind_t) dev_setattr_video_dev(systemd_logind_t) @@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti # Nspawn local policy # -allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill }; +allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill }; allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot }; allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; +allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms; allow systemd_nspawn_t systemd_journal_t:dir search; Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te =================================================================== --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) userdom_dontaudit_search_user_home_dirs(groupadd_t) optional_policy(` + apt_use_fds(groupadd_t) +') + +optional_policy(` dbus_system_bus_client(groupadd_t) ') @@ -546,6 +550,10 @@ optional_policy(` ') optional_policy(` + apt_use_fds(groupadd_t) +') + +optional_policy(` dbus_system_bus_client(useradd_t) ')