Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-0.3 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A01D5C282C0 for ; Thu, 24 Jan 2019 00:02:30 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 63CAF218A1 for ; Thu, 24 Jan 2019 00:02:30 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="KO891O7K" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726168AbfAXACa (ORCPT ); Wed, 23 Jan 2019 19:02:30 -0500 Received: from mail-qk1-f194.google.com ([209.85.222.194]:36692 "EHLO mail-qk1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726125AbfAXACa (ORCPT ); Wed, 23 Jan 2019 19:02:30 -0500 Received: by mail-qk1-f194.google.com with SMTP id o125so2215766qkf.3 for ; Wed, 23 Jan 2019 16:02:28 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=/4GqX2DCiZigt8LVN2PU8Xc+VBouLcwZHGjbDIhm2rY=; b=KO891O7KHbkjp8uvgNjHm4WdC7wZxpRHMvfBvktWdLhmedVtA4+/QUMhCZef+ASvbG O6t3xLqNVa6miVXM1cct2Jz5P8rj7RaaIv88IUklKpWdnVuvGQBG0oR1aubMvOkccwJo BDFEYKS1XvtYmQ3r1ILntA+HPbprcloo0bx8Q= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=/4GqX2DCiZigt8LVN2PU8Xc+VBouLcwZHGjbDIhm2rY=; b=T3NuL8SOrRvy6aTE+XKlA5ZpWWskegEC7Wy97c8Er+4AgCF3fMEP5uQMOUbacZnFr8 n35yk3LCbrVdKxJWTtkgNx1E1bAGTGe+HRjWUWT1x9QcFSR6pzi+BB8SehJZQUp4pcD6 OMMFMWugF2RxNdtl9w1oI/2x89SFXqUmsU6vpkA0QmSoPx2hpqrukREGccynuF95v8Vk bBPp4U6cpU51VpZp/z1EK54eXX17Kkh08EpBQV1YLcziy609WNWnaILM+R3qk09OEc4Z YhhqMdMaJUNhY9By4X9cgYGAjdarK1SK1wMA3fKpJVJTnw0gnDxVtWzqofKtln7yNH6Q O+KQ== X-Gm-Message-State: AJcUukcTOXMmu6tNaNONGU7qjEdNTuVkaztG0Q3ZmdXvJXdqRWFekFZJ eV91k4HjBAYixfjZECxaVHSN3+cVPwQ= X-Google-Smtp-Source: ALg8bN78fLsKMsKUGNCR3xn6DhxWiXd2YR/A3FtUEgLwLEajK2lRwZEuQXEfCX7be7hC7uvW7nMRWw== X-Received: by 2002:a37:945:: with SMTP id 66mr3751305qkj.123.1548288147831; Wed, 23 Jan 2019 16:02:27 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id t5sm46606566qkl.14.2019.01.23.16.02.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Wed, 23 Jan 2019 16:02:27 -0800 (PST) Subject: Re: [PATCH] yet more tiny stuff To: Russell Coker , "selinux-refpolicy@vger.kernel.org" References: <20190121225928.GA2428@xev> From: Chris PeBenito Message-ID: Date: Wed, 23 Jan 2019 18:35:28 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190121225928.GA2428@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/21/19 5:59 PM, Russell Coker wrote: > I think this should be self-explanatory. I've added an audit trace for the > sys_ptrace access that was previously rejected. > > > Here is the audit log for sys_ptrace: > type=PROCTITLE msg=audit(22/01/19 00:00:18.998:61459) : proctitle=systemctl restart cups.service > type=PATH msg=audit(22/01/19 00:00:18.998:61459) : item=0 name=/proc/1/root nametype=UNKNOWN cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 > type=CWD msg=audit(22/01/19 00:00:18.998:61459) : cwd=/ > type=SYSCALL msg=audit(22/01/19 00:00:18.998:61459) : arch=x86_64 syscall=newfstatat success=no exit=EACCES(Permission denied) a0=0xffffff9c a1=0x55dd7ea7a23d a2=0x7ffee0a8a1b0 a3=0x0 items=1 ppid=12745 pid=12750 auid=unset uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=unset comm=systemctl exe=/bin/systemctl subj=system_u:system_r:logrotate_t:s0 key=(null) > type=AVC msg=audit(22/01/19 00:00:18.998:61459) : avc: denied { sys_ptrace } for pid=12750 comm=systemctl capability=sys_ptrace scontext=system_u:system_r:logrotate_t:s0 tcontext=system_u:system_r:logrotate_t:s0 tclass=capability permissive=0 > > Index: refpolicy-2.20180701/policy/modules/apps/gpg.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/apps/gpg.te > +++ refpolicy-2.20180701/policy/modules/apps/gpg.te > @@ -184,11 +184,6 @@ optional_policy(` > ') > > optional_policy(` > - cron_system_entry(gpg_t, gpg_exec_t) > - cron_read_system_job_tmp_files(gpg_t) > -') > - > -optional_policy(` > xserver_use_xdm_fds(gpg_t) > xserver_rw_xdm_pipes(gpg_t) > ') > Index: refpolicy-2.20180701/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/cron.te > +++ refpolicy-2.20180701/policy/modules/services/cron.te > @@ -520,6 +520,7 @@ corenet_udp_sendrecv_all_ports(system_cr > dev_getattr_all_blk_files(system_cronjob_t) > dev_getattr_all_chr_files(system_cronjob_t) > dev_getattr_mtrr_dev(system_cronjob_t) > +dev_read_rand(system_cronjob_t) > dev_read_urand(system_cronjob_t) > dev_read_sysfs(system_cronjob_t) > # for checkarray to write to sync_action > @@ -551,6 +552,7 @@ files_read_var_lib_symlinks(system_cronj > mls_file_read_to_clearance(system_cronjob_t) > > init_domtrans_script(system_cronjob_t) > +init_read_generic_units_links(system_cronjob_t) > init_read_utmp(system_cronjob_t) > init_use_script_fds(system_cronjob_t) > > @@ -623,6 +625,10 @@ optional_policy(` > ') > > optional_policy(` > + gpg_exec(system_cronjob_t) > +') > + > +optional_policy(` > inn_manage_log(system_cronjob_t) > inn_manage_pid(system_cronjob_t) > inn_read_config(system_cronjob_t) > Index: refpolicy-2.20180701/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/init.if > +++ refpolicy-2.20180701/policy/modules/system/init.if > @@ -2962,6 +2962,25 @@ interface(`init_search_units',` > > ######################################## > ## > +## Read systemd unit links > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_read_generic_units_links',` > + gen_require(` > + type systemd_unit_t; > + class service status; > + ') > + > + allow $1 systemd_unit_t:lnk_file read_lnk_file_perms; > +') > + > +######################################## > +## > ## Get status of generic systemd units. > ## > ## > Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te > +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te > @@ -31,7 +31,8 @@ allow irqbalance_t self:udp_socket creat > allow irqbalance_t self:unix_stream_socket create_stream_socket_perms; > > manage_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) > -files_pid_filetrans(irqbalance_t, irqbalance_pid_t, file) > +manage_sock_files_pattern(irqbalance_t, irqbalance_pid_t, irqbalance_pid_t) > +files_pid_filetrans(irqbalance_t, irqbalance_pid_t, { file sock_file }) > > kernel_read_network_state(irqbalance_t) > kernel_read_system_state(irqbalance_t) > Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te > +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te > @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t; > # Local policy > # > > -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource }; > +# sys_ptrace is for systemctl > +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource }; > # systemctl asks for net_admin > dontaudit logrotate_t self:capability net_admin; > allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; Merged. -- Chris PeBenito