Subject: Re: [PATCH] tiny stuff for today
To:     Russell Coker <russell@coker.com.au>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20190122090028.GA6927@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <c0d4ccb0-9483-38a8-de4b-bfe0b796c293@ieee.org>
Date:   Wed, 23 Jan 2019 18:27:01 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20190122090028.GA6927@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk

On 1/22/19 4:00 AM, Russell Coker wrote:
> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.
> 
> Lots of little stuff for system_cronjob_t.
> 
> Other minor trivial changes that should be obvious.
> 
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>   
>   	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>   ')
> +
> +########################################
> +## <summary>
> +##	Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
>   # System local policy
>   #
>   
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
>   allow system_cronjob_t self:fd use;
>   allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>   allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
>   kernel_getattr_message_if(system_cronjob_t)
>   
>   kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
>   kernel_read_kernel_sysctls(system_cronjob_t)
>   kernel_read_network_state(system_cronjob_t)
>   kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
>   domain_dontaudit_read_all_domains_state(system_cronjob_t)
>   
>   files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
>   files_read_etc_runtime_files(system_cronjob_t)
>   files_list_all(system_cronjob_t)
>   files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
>   libs_exec_lib_files(system_cronjob_t)
>   libs_exec_ld_so(system_cronjob_t)
>   
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
>   logging_send_audit_msgs(system_cronjob_t)
>   logging_send_syslog_msg(system_cronjob_t)
>   
> @@ -675,6 +677,9 @@ optional_policy(`
>   
>   optional_policy(`
>   	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> +	# for gpg-connect-agent to access /run/user/0
> +	userdom_manage_user_runtime_dirs(system_cronjob_t)
>   ')
>   
>   ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
>   manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>   files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>   
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>   
>   kernel_read_crypto_sysctls(NetworkManager_t)
>   kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
>   dev_getattr_all_chr_files(NetworkManager_t)
>   dev_rw_wireless(NetworkManager_t)
>   
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
>   domain_use_interactive_fds(NetworkManager_t)
>   domain_read_all_domains_state(NetworkManager_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
>   type xauth_exec_t;
>   typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>   typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
>   userdom_user_application_domain(xauth_t, xauth_exec_t)
>   
>   type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
>   userdom_read_user_tmp_files(xauth_t)
>   
>   xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>   
>   tunable_policy(`use_nfs_home_dirs',`
>   	fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dpkg_nnp_transition(unconfined_t)
>   	dpkg_run(unconfined_t, unconfined_r)
>   ')
>   
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>   
>   fs_getattr_xattr_fs(kmod_t)
>   fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>   
>   init_rw_initctl(kmod_t)
>   init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
>   fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>   fs_mount_tmpfs(systemd_nspawn_t)
>   fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>   
>   term_getattr_generic_ptys(systemd_nspawn_t)
>   term_getattr_pty_fs(systemd_nspawn_t)

Merged.

-- 
Chris PeBenito