Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp1666424ybb;
        Thu, 9 Apr 2020 06:49:42 -0700 (PDT)
X-Google-Smtp-Source: APiQypIchViiIsI88bPM+YP8Iq6dEB+X7Llh+dvwoFKIjtHkjI/DLJaHuU7UCx7rSuSYDJjsUL/e
X-Received: by 2002:ac8:ff2:: with SMTP id f47mr4663102qtk.48.1586440182727;
        Thu, 09 Apr 2020 06:49:42 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586440182; cv=none;
        d=google.com; s=arc-20160816;
        b=qieCUj2SBN0cMWI62DQgksC/tgNIo3SfDBaE2ZpGk8VYmp0eL+eIDv8vALb/I4ZLnV
         tPjTaUwD0h0N66yIrOAj2+Q3IBiq2aCQmW64HvWcTHHNcXi7CvfgbhG76utZ3SIL5ssC
         UmyiFgWNEXUl5oYdCs5YoMmY0Ae7ruZblj8/m8Jb58o3LIfNEkeCjskUdHMvKyp+FWA1
         5+1M1/cMlmdZGdqVKOMMPke4nWuyMdjOzynIJ7XPMxUsszQBdt/FHsIROURrp1q6SLvg
         +bfKfWx/DF8mLs9ZbIovpk8X00IWj3jqGzb2DX5Egffp70gFhnRRNYgrUEgmFRMDAlKy
         Wb1A==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=Um1UmiY+YFuG1ZoOHX9PmxFKS4vEtfG0RzBl29ZT6Hw=;
        b=ekHNAVOkrRsFxKG4+rVXU0/4fkxhHtsbzWQ/dJ8UPZmTXc8A9SksmiraoZm6inNvfs
         7l5hJBvEVm43zcxe+izHrasPbwCbTUj2AgszHWAPV+LzqwChOR2+ieOabpOiSkhPHUr6
         FkThBNyowj1yWkr4eIKkzQ8pAn05IkvthjNx+NiRAJRsSNaiV8wVvAQFStUQoQWOnIHQ
         jT7ATsdP5LCMboqdXJm1jSet5uaGBK9O0cDLygNdvEukYAat40iwFXd+0mRu04AeXTMf
         LAB0yXuO16/fIIQVxGAp25W+VCcIkZkw+jdfPBazYfcD9rdX/gkjEtu0AEzZmbIWgFTv
         twDA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=gTGnPTos;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 70si5792315qkk.278.2020.04.09.06.49.40;
        Thu, 09 Apr 2020 06:49:42 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=gTGnPTos;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726928AbgDINtL (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Thu, 9 Apr 2020 09:49:11 -0400
Received: from mail-qk1-f195.google.com ([209.85.222.195]:35851 "EHLO
        mail-qk1-f195.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1726582AbgDINtK (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Thu, 9 Apr 2020 09:49:10 -0400
Received: by mail-qk1-f195.google.com with SMTP id l25so3954649qkk.3
        for <selinux-refpolicy@vger.kernel.org>; Thu, 09 Apr 2020 06:49:10 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=Um1UmiY+YFuG1ZoOHX9PmxFKS4vEtfG0RzBl29ZT6Hw=;
        b=gTGnPTosouXsdhT3eOkfCsZZkDhPYBT4WVq2WyPoIVWzXticLaI7yhhOy4DwO+fP3H
         6Li2LXroc9mK7XxGtDJbfxjBSI/eWnhVIrsPG2GpABIy/e3DowOCAO1iI1xCXtZADAmx
         brEWzTgeMQvyk52XbfQNOHRMOs08pb3oijVB0=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=Um1UmiY+YFuG1ZoOHX9PmxFKS4vEtfG0RzBl29ZT6Hw=;
        b=aucpyvbZBo5LLEdteg9cFa1nOpWOgMaVYdMJrS+UCHh/7QCPyNLxfLWSK7ErlDIN2f
         ajfPeazAr4Y/GjRyWI+wa7e7Y3iX2AgjAE/XtIXTw8cRSlhJ0ZlEGao0GBIW8nsaVE3T
         ohAT239Nsm72EiQ/mkY3dTOhaofbWjzE5kBNz0jgqsoBfxy2wBulbwOVPk6me8Mb8hu9
         w2gefJG1OSM9fjpjHrF6vhTSCj0O9aXqn2ykzYE2SVxc+IBPM2SMKhNnF2tK1yk0Yg1Z
         ybI/vxE/axY73YAKhB1LB7BJzc0Ko0eMaTY8m7BVHylGWfnLK63xk8dNICDQ/koAiuTq
         cOMw==
X-Gm-Message-State: AGi0PuZRA8AHqczfm9kv02yiS18FeD0RVaN3QJYkCUoSC1npmqXfc4Po
        q7hRJIpvLHQofSwtV1ZjTu0zLKtxpfM=
X-Received: by 2002:a05:620a:11b0:: with SMTP id c16mr13000531qkk.309.1586440149709;
        Thu, 09 Apr 2020 06:49:09 -0700 (PDT)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id w30sm22894896qtw.21.2020.04.09.06.49.09
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Thu, 09 Apr 2020 06:49:09 -0700 (PDT)
Subject: Re: latest memlockd patch
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <20200405084303.GB177560@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <1a72c370-f050-0663-cea7-89e3e95493a9@ieee.org>
Date:   Thu, 9 Apr 2020 09:24:43 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200405084303.GB177560@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 4/5/20 4:43 AM, Russell Coker wrote:
> Patch for memlockd policy against latest git.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> 
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20200405/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20200405/policy/modules/services/memlockd.te
> @@ -0,0 +1,42 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +allow memlockd_t self:fifo_file rw_file_perms;
> +allow memlockd_t self:unix_dgram_socket { create connect };
> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)
> +auth_map_shadow(memlockd_t)
> +

Below needs to be cleaned up for line ordering.

> +sysnet_mmap_read_config(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +
> +# for ldd
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +
> +corecmd_search_bin(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +# has to exec for ldd
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +
> +miscfiles_read_localization(memlockd_t)
> +
> Index: refpolicy-2.20200405/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20200405/policy/modules/system/sysnetwork.if
> @@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
>   
>   #######################################
>   ## <summary>
> +##	map network config files.
> +## </summary>
> +## <desc>
> +##	<p>
> +##	Allow the specified domain to mmap the
> +##	general network configuration files.
> +##	</p>
> +## </desc>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> +	gen_require(`
> +		type net_conf_t;
> +	')
> +
> +	files_search_etc($1)
> +	allow $1 net_conf_t:file { read_file_perms map };

There is a mmap_read_file_perms set that has this.

> +')
> +
> +#######################################
> +## <summary>
>   ##	Do not audit attempts to read network config files.
>   ## </summary>
>   ## <param name="domain">
> Index: refpolicy-2.20200405/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20200405.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20200405/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>   
>   ########################################
>   ## <summary>
> +##	Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> +	gen_require(`
> +		type shadow_t;
> +	')
> +	allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
>   ##	Pass shadow assertion for reading.
>   ## </summary>
>   ## <desc>
> 


-- 
Chris PeBenito