Return-Path: <SRS0=hoI8=QA=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-0.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED,
	DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS,
	MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id A01D5C282C0
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 24 Jan 2019 00:02:30 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 63CAF218A1
	for <selinux-refpolicy@archiver.kernel.org>; Thu, 24 Jan 2019 00:02:30 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="KO891O7K"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726168AbfAXACa (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Wed, 23 Jan 2019 19:02:30 -0500
Received: from mail-qk1-f194.google.com ([209.85.222.194]:36692 "EHLO
        mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726125AbfAXACa (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 23 Jan 2019 19:02:30 -0500
Received: by mail-qk1-f194.google.com with SMTP id o125so2215766qkf.3
        for <selinux-refpolicy@vger.kernel.org>; Wed, 23 Jan 2019 16:02:28 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=/4GqX2DCiZigt8LVN2PU8Xc+VBouLcwZHGjbDIhm2rY=;
        b=KO891O7KHbkjp8uvgNjHm4WdC7wZxpRHMvfBvktWdLhmedVtA4+/QUMhCZef+ASvbG
         O6t3xLqNVa6miVXM1cct2Jz5P8rj7RaaIv88IUklKpWdnVuvGQBG0oR1aubMvOkccwJo
         BDFEYKS1XvtYmQ3r1ILntA+HPbprcloo0bx8Q=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=/4GqX2DCiZigt8LVN2PU8Xc+VBouLcwZHGjbDIhm2rY=;
        b=T3NuL8SOrRvy6aTE+XKlA5ZpWWskegEC7Wy97c8Er+4AgCF3fMEP5uQMOUbacZnFr8
         n35yk3LCbrVdKxJWTtkgNx1E1bAGTGe+HRjWUWT1x9QcFSR6pzi+BB8SehJZQUp4pcD6
         OMMFMWugF2RxNdtl9w1oI/2x89SFXqUmsU6vpkA0QmSoPx2hpqrukREGccynuF95v8Vk
         bBPp4U6cpU51VpZp/z1EK54eXX17Kkh08EpBQV1YLcziy609WNWnaILM+R3qk09OEc4Z
         YhhqMdMaJUNhY9By4X9cgYGAjdarK1SK1wMA3fKpJVJTnw0gnDxVtWzqofKtln7yNH6Q
         O+KQ==
X-Gm-Message-State: AJcUukcTOXMmu6tNaNONGU7qjEdNTuVkaztG0Q3ZmdXvJXdqRWFekFZJ
        eV91k4HjBAYixfjZECxaVHSN3+cVPwQ=
X-Google-Smtp-Source: ALg8bN78fLsKMsKUGNCR3xn6DhxWiXd2YR/A3FtUEgLwLEajK2lRwZEuQXEfCX7be7hC7uvW7nMRWw==
X-Received: by 2002:a37:945:: with SMTP id 66mr3751305qkj.123.1548288147831;
        Wed, 23 Jan 2019 16:02:27 -0800 (PST)
Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id t5sm46606566qkl.14.2019.01.23.16.02.27
        (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128);
        Wed, 23 Jan 2019 16:02:27 -0800 (PST)
Subject: Re: [PATCH] yet more tiny stuff
To:     Russell Coker <russell@coker.com.au>,
        "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
References: <20190121225928.GA2428@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <b86eaf41-ce56-4d3b-f10e-59ba726d77d6@ieee.org>
Date:   Wed, 23 Jan 2019 18:35:28 -0500
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101
 Thunderbird/60.3.0
MIME-Version: 1.0
In-Reply-To: <20190121225928.GA2428@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 1/21/19 5:59 PM, Russell Coker wrote:
> I think this should be self-explanatory.  I've added an audit trace for the
> sys_ptrace access that was previously rejected.
> 
> 
> Here is the audit log for sys_ptrace:
> type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service
> type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
> type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/
> type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null)
> type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc:  denied  { sys_ptrace } for  pid=12750 comm=systemctl capability=sys_ptrace  scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0
> 
> Index: refpolicy-2.20180701/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20180701/policy/modules/apps/gpg.te
> @@ -184,11 +184,6 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	cron_system_entry(gpg_t, gpg_exec_t)
> -	cron_read_system_job_tmp_files(gpg_t)
> -')
> -
> -optional_policy(`
>   	xserver_use_xdm_fds(gpg_t)
>   	xserver_rw_xdm_pipes(gpg_t)
>   ')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr
>   dev_getattr_all_blk_files(system_cronjob_t)
>   dev_getattr_all_chr_files(system_cronjob_t)
>   dev_getattr_mtrr_dev(system_cronjob_t)
> +dev_read_rand(system_cronjob_t)
>   dev_read_urand(system_cronjob_t)
>   dev_read_sysfs(system_cronjob_t)
>   # for checkarray to write to sync_action
> @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj
>   mls_file_read_to_clearance(system_cronjob_t)
>   
>   init_domtrans_script(system_cronjob_t)
> +init_read_generic_units_links(system_cronjob_t)
>   init_read_utmp(system_cronjob_t)
>   init_use_script_fds(system_cronjob_t)
>   
> @@ -623,6 +625,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	gpg_exec(system_cronjob_t)
> +')
> +
> +optional_policy(`
>   	inn_manage_log(system_cronjob_t)
>   	inn_manage_pid(system_cronjob_t)
>   	inn_read_config(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/init.if
> +++ refpolicy-2.20180701/policy/modules/system/init.if
> @@ -2962,6 +2962,25 @@ interface(`init_search_units',`
>   
>   ########################################
>   ## <summary>
> +##	Read systemd unit links
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`init_read_generic_units_links',`
> +	gen_require(`
> +		type systemd_unit_t;
> +		class service status;
> +	')
> +
> +	allow $1 systemd_unit_t:lnk_file read_lnk_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Get status of generic systemd units.
>   ## </summary>
>   ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat
>   allow irqbalance_t self:unix_stream_socket create_stream_socket_perms;
>   
>   manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file)
> +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t)
> +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file })
>   
>   kernel_read_network_state(irqbalance_t)
>   kernel_read_system_state(irqbalance_t)
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
>   # Local policy
>   #
>   
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
>   # systemctl asks for net_admin
>   dontaudit logrotate_t self:capability net_admin;
>   allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };

Merged.

-- 
Chris PeBenito