Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp239931pxb;
        Wed, 20 Jan 2021 06:03:46 -0800 (PST)
X-Google-Smtp-Source: ABdhPJzOjy9TA/Ly/lr8pDkBeLnd37me2YiGCnVzAHaFoDylaQrq6LswZf9fAKvf+nNIptXpvpDn
X-Received: by 2002:a17:906:f950:: with SMTP id ld16mr6344713ejb.553.1611151425838;
        Wed, 20 Jan 2021 06:03:45 -0800 (PST)
ARC-Seal: i=1; a=rsa-sha256; t=1611151425; cv=none;
        d=google.com; s=arc-20160816;
        b=H+xsjf8tC+T1pTu+3hf+IKsHyfNKb5nysUwlmAVPizV16cHh1SLDTBswrCkaQ09kaS
         rHGYBpy6h08yT+6OeZD2utL16euXC0tZY2Op8mLQiOgvUoDrgEyVtFe4zOw4dxA/BFjQ
         +d0fb7fHpXMoxwrd2Tl/pV7zPLCbVQNC0TuUeNQfXaOodlrb1tPv/kV35VhSNt/YwPiX
         UQn4sKFdaWtiCs83rFP3nwRZyUKcqpubgrRlXS+FvCFdyzFosUBje3SXwxen2WZX6zU4
         bCKqZZY7QCJ0XzkVcULwIeDjCGluVbzreVkUvcqX0QyuaYIF1Wc34zUn7gpLWylpPFEx
         ZA8g==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to
         :date:references:subject:cc:to:from:dkim-signature:dkim-filter;
        bh=FSJGxSTx40E2FOYCyYVPSJdxs8R1EpaPtlUB/8BXfUg=;
        b=0EFx8wBF3gsoo/cyY/9/lFx+mcb//rQboOIgKFeH8dnULsl5N1CPSI8Nn2+b/sHEnP
         kFqQF3FBoP+JnYbjZm4/ZPhsG5aYMtAf++nJSiJChv8PThHSUPFAqm+MufJsQnVVk9Nh
         r9MKmVCtNGIxrZfuIqa1nbglhyXjQ1s/xpCdYa8+d9mD/WIt+TGyRFjlOvo9EbpuOWbh
         pw5uSGgsJ3ySwekBMAFlwhT+0wO9VmNyJB+R5WYtLZ0Op50cI48unjMoHuUrChUMYO+9
         GlX8WYx2GRn6Lb/DjnifSFGBLX7igEN1lteE+SM5Ojnzqb40DfPr+2RgViWunhRlSZAM
         uwMg==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=BHO9J8zW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id c14si879915edw.442.2021.01.20.06.03.40;
        Wed, 20 Jan 2021 06:03:45 -0800 (PST)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@defensec.nl header.s=default header.b=BHO9J8zW;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730481AbhATN7k (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 16 others); Wed, 20 Jan 2021 08:59:40 -0500
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40002 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2389888AbhATN3s (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 20 Jan 2021 08:29:48 -0500
Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711])
        by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7CC07C0613D3
        for <selinux-refpolicy@vger.kernel.org>; Wed, 20 Jan 2021 05:28:52 -0800 (PST)
Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438])
        by agnus.defensec.nl (Postfix) with ESMTPSA id CCA412A0D7E;
        Wed, 20 Jan 2021 14:28:51 +0100 (CET)
DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl CCA412A0D7E
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl;
        s=default; t=1611149331;
        bh=FSJGxSTx40E2FOYCyYVPSJdxs8R1EpaPtlUB/8BXfUg=;
        h=From:To:Cc:Subject:References:Date:In-Reply-To:From;
        b=BHO9J8zWWwLv+dMM/RB2ow0lQ9fVmIVtxfw3dsfZhoKZLC+G5jZGpzqeshZmiRCz9
         Zq3tZT1KJaFLXLedL1okDUAxJ8drDfnvV5FljGYmZZss7VWwXNGncEi3ZOstaXlkDt
         4qpSvnZ9lw19Er47Tr9U5gjLCSHA/WypGuu9PnOo=
From:   Dominick Grift <dominick.grift@defensec.nl>
To:     Russell Coker <russell@coker.com.au>
Cc:     selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc apps and admin patches
References: <YAgCC7ngI/WrlxMR@xev>
Date:   Wed, 20 Jan 2021 14:28:49 +0100
In-Reply-To: <YAgCC7ngI/WrlxMR@xev> (Russell Coker's message of "Wed, 20 Jan
        2021 21:12:27 +1100")
Message-ID: <ypjl5z3rn3e6.fsf@defensec.nl>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> Patches for apt unattended upgrades and dbus, logrotate certs and samba,
> games_t, mplayer/mencoder, and sysadm_t dbus.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210120/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
>  /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>  
>  ifndef(`distro_redhat',`
>  /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
>  /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
>  /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210120/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(apt_t)
>  ')
>  
> @@ -169,5 +173,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
>  	unconfined_domain(apt_t)
>  ')
> Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>  
>  	dpkg_read_db(bootloader_t)
>  	dpkg_rw_pipes(bootloader_t)
> +
> +	apt_use_fds(bootloader_t)
> +	apt_use_ptys(bootloader_t)
>  ')
>  
>  ifdef(`distro_redhat',`
> Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
>  logging_send_audit_msgs(logrotate_t)
>  logging_exec_all_logs(logrotate_t)
>  
> +miscfiles_read_generic_certs(logrotate_t)
>  miscfiles_read_localization(logrotate_t)
>  
>  seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	samba_domtrans_smbcontrol(logrotate_t)
>  	samba_exec_log(logrotate_t)
>  ')
>  
> Index: refpolicy-2.20210120/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210120/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>  
>  can_exec(games_t, games_exec_t)
>  
> +kernel_read_kernel_sysctls(games_t)
>  kernel_read_system_state(games_t)
>  
>  corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>  
>  corenet_all_recvfrom_netlabel(games_t)
>  corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>  
>  logging_dontaudit_search_logs(games_t)
>  
> +miscfiles_read_generic_certs(games_t)
>  miscfiles_read_man_pages(games_t)
>  miscfiles_read_localization(games_t)
>  
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
>  ')
>  
>  optional_policy(`
> +	alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
>  	dbus_all_session_bus_client(games_t)
>  	dbus_connect_all_session_bus(games_t)
> +	dbus_read_lib_files(games_t)
> +	dbus_system_bus_client(games_t)
>  ')
>  
>  optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	xdg_read_config_files(games_t)
> +	xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
>  	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>  	xserver_create_xdm_tmp_sockets(games_t)
>  	xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
>  	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
>  	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>  
> -	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> +	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
>  	ps_process_pattern($2, { mplayer_t mencoder_t })
>  
>  	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
>  	fs_manage_cifs_symlinks(mencoder_t)
>  ')
>  
> +tunable_policy(`xserver_allow_dri',`
> +	dev_rw_dri(mplayer_t)
> +')
> +
>  ########################################
>  #
>  # Mplayer local policy
>  #
>  
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
>  allow mplayer_t self:fifo_file rw_fifo_file_perms;
>  allow mplayer_t self:sem create_sem_perms;
>  allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
>  kernel_dontaudit_list_unlabeled(mplayer_t)
>  kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
>  kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
>  kernel_read_system_state(mplayer_t)
>  kernel_read_kernel_sysctls(mplayer_t)
>  
> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
> @@ -530,6 +530,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	init_dbus_chat(sysadm_t)

Can you explain why you added this?

> +')
> +
> +optional_policy(`
>  	inn_admin(sysadm_t, sysadm_r)
>  ')
>  
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift