Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-2.2 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 1E0B4C282C0 for ; Thu, 24 Jan 2019 00:02:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id C149B218A1 for ; Thu, 24 Jan 2019 00:02:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="J59pDix3" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726157AbfAXAC1 (ORCPT ); Wed, 23 Jan 2019 19:02:27 -0500 Received: from mail-qt1-f194.google.com ([209.85.160.194]:33218 "EHLO mail-qt1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726125AbfAXAC1 (ORCPT ); Wed, 23 Jan 2019 19:02:27 -0500 Received: by mail-qt1-f194.google.com with SMTP id l11so4626293qtp.0 for ; Wed, 23 Jan 2019 16:02:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=dPyfLvJxjQ5WjNciUL9kcRgMUBM+kG/nbUZa2XRCV5Q=; b=J59pDix35tPk7rbFs99CY5RrIiGP8nr8RwuFw8wqVC15HTVgjRXVmQ4Nt8/kRIWFfW HJsTlDTr+99+0PO2xOYQTW44ZRVMUS5fImAZoNq1VdlOE4aY9PQP1xjDmGuKuhr4Zz63 6cs/tOe7s6e7SJSxVBpIWPrUELH0oX0tvb2Qo= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=dPyfLvJxjQ5WjNciUL9kcRgMUBM+kG/nbUZa2XRCV5Q=; b=Iq4jYFea1+/FlFvESEVezNgjDe5vTKszRCWDB8Ya4rBgq/I5EZN80frGK4BJVWMqjC V3cGjkwgb9DFVUAw4VQl8At/eS0+8p2WwpWqRDzY1y5CmLD7KNemA4xgc3+bsWtMDg6Z 2eWN684chLF3D+pNTzqnUgIgHTvImg0wQjYA2TSPFzog+9hwayJ+t1n/y2fkn9beYk0u RnpicSyevPPV+uJWUSHTMTiDD/3+JoSxZWSqbQCs6QspczaXRH0qgXNcvpT3JcOJGwR2 SfyP0UywbG+lYSnXmF/H0S4tqqhrKY6Z9luvfqLWbx1MW8RxfGAeplyWhiFcW12MCl2T Oi5w== X-Gm-Message-State: AJcUukeFBQaDqejUsUnFXV648MwDMDWV5d8kIP/sPBOUWn+GBcpKfk7R 7qKA/k9l9Lx+PB+ilAni4FHsXwtaGbw= X-Google-Smtp-Source: ALg8bN5Qfx/yRCmwuivfZhMLGcVmWcuG7U9+/mVEYsv1xmKFdmsNoxQyZY9OCc2eqZAd/ZLrabLQ4Q== X-Received: by 2002:ac8:3181:: with SMTP id h1mr4708383qte.14.1548288145428; Wed, 23 Jan 2019 16:02:25 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id p72sm60327966qke.87.2019.01.23.16.02.24 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jan 2019 16:02:24 -0800 (PST) Subject: Re: [PATCH] tiny stuff for today To: Russell Coker , "selinux-refpolicy@vger.kernel.org" References: <20190122090028.GA6927@xev> From: Chris PeBenito Message-ID: Date: Wed, 23 Jan 2019 18:27:01 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190122090028.GA6927@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/22/19 4:00 AM, Russell Coker wrote: > Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't > be necessary. > > Lots of little stuff for system_cronjob_t. > > Other minor trivial changes that should be obvious. > > Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if > +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if > @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks > > allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms; > ') > + > +######################################## > +## > +## Transition to dpkg_t when NNP has been set > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_nnp_transition',` > + gen_require(` > + type dpkg_t; > + ') > + > + allow $1 dpkg_t:process2 nnp_transition; > +') > Index: refpolicy-2.20180701/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/cron.te > +++ refpolicy-2.20180701/policy/modules/services/cron.te > @@ -456,8 +456,8 @@ optional_policy(` > # System local policy > # > > -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; > -allow system_cronjob_t self:process { signal_perms getsched setsched }; > +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource }; > +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit }; > allow system_cronjob_t self:fd use; > allow system_cronjob_t self:fifo_file rw_fifo_file_perms; > allow system_cronjob_t self:passwd rootok; > @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t) > kernel_getattr_message_if(system_cronjob_t) > > kernel_read_crypto_sysctls(system_cronjob_t) > +kernel_read_irq_sysctls(system_cronjob_t) > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > kernel_read_system_state(system_cronjob_t) > @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t) > domain_dontaudit_read_all_domains_state(system_cronjob_t) > > files_exec_etc_files(system_cronjob_t) > +files_exec_usr_files(system_cronjob_t) > files_read_etc_runtime_files(system_cronjob_t) > files_list_all(system_cronjob_t) > files_getattr_all_dirs(system_cronjob_t) > @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t) > libs_exec_lib_files(system_cronjob_t) > libs_exec_ld_so(system_cronjob_t) > > -logging_read_generic_logs(system_cronjob_t) > +logging_manage_generic_logs(system_cronjob_t) > logging_send_audit_msgs(system_cronjob_t) > logging_send_syslog_msg(system_cronjob_t) > > @@ -675,6 +677,9 @@ optional_policy(` > > optional_policy(` > userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file }) > + > + # for gpg-connect-agent to access /run/user/0 > + userdom_manage_user_runtime_dirs(system_cronjob_t) > ') > > ######################################## > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te > @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N > manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t) > files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file }) > > -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) > +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t }) > > kernel_read_crypto_sysctls(NetworkManager_t) > kernel_read_system_state(NetworkManager_t) > @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files( > dev_getattr_all_chr_files(NetworkManager_t) > dev_rw_wireless(NetworkManager_t) > > +# for access(2) > +dev_write_sysfs_dirs(NetworkManager_t) > + > domain_use_interactive_fds(NetworkManager_t) > domain_read_all_domains_state(NetworkManager_t) > > Index: refpolicy-2.20180701/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20180701/policy/modules/services/xserver.te > @@ -147,6 +147,7 @@ type xauth_t; > type xauth_exec_t; > typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t }; > typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t }; > +userdom_manage_user_tmp_dirs(xauth_t) > userdom_user_application_domain(xauth_t, xauth_exec_t) > > type xauth_home_t; > @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t) > userdom_read_user_tmp_files(xauth_t) > > xserver_rw_xdm_tmp_files(xauth_t) > +xserver_stream_connect(xauth_t) > > tunable_policy(`use_nfs_home_dirs',` > fs_manage_nfs_files(xauth_t) > Index: refpolicy-2.20180701/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20180701/policy/modules/system/unconfined.te > @@ -89,6 +89,7 @@ optional_policy(` > ') > > optional_policy(` > + dpkg_nnp_transition(unconfined_t) > dpkg_run(unconfined_t, unconfined_r) > ') > > Index: refpolicy-2.20180701/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20180701/policy/modules/system/modutils.te > @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t) > > fs_getattr_xattr_fs(kmod_t) > fs_dontaudit_use_tmpfs_chr_dev(kmod_t) > +fs_search_tracefs(kmod_t) > > init_rw_initctl(kmod_t) > init_use_fds(kmod_t) > Index: refpolicy-2.20180701/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20180701/policy/modules/system/systemd.te > @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t) > fs_manage_tmpfs_chr_files(systemd_nspawn_t) > fs_mount_tmpfs(systemd_nspawn_t) > fs_remount_tmpfs(systemd_nspawn_t) > -fs_search_cgroup_dirs(systemd_nspawn_t) > +fs_remount_xattr_fs(systemd_nspawn_t) > +fs_read_cgroup_files(systemd_nspawn_t) > > term_getattr_generic_ptys(systemd_nspawn_t) > term_getattr_pty_fs(systemd_nspawn_t) Merged. -- Chris PeBenito