Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp239931pxb; Wed, 20 Jan 2021 06:03:46 -0800 (PST) X-Google-Smtp-Source: ABdhPJzOjy9TA/Ly/lr8pDkBeLnd37me2YiGCnVzAHaFoDylaQrq6LswZf9fAKvf+nNIptXpvpDn X-Received: by 2002:a17:906:f950:: with SMTP id ld16mr6344713ejb.553.1611151425838; Wed, 20 Jan 2021 06:03:45 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611151425; cv=none; d=google.com; s=arc-20160816; b=H+xsjf8tC+T1pTu+3hf+IKsHyfNKb5nysUwlmAVPizV16cHh1SLDTBswrCkaQ09kaS rHGYBpy6h08yT+6OeZD2utL16euXC0tZY2Op8mLQiOgvUoDrgEyVtFe4zOw4dxA/BFjQ +d0fb7fHpXMoxwrd2Tl/pV7zPLCbVQNC0TuUeNQfXaOodlrb1tPv/kV35VhSNt/YwPiX UQn4sKFdaWtiCs83rFP3nwRZyUKcqpubgrRlXS+FvCFdyzFosUBje3SXwxen2WZX6zU4 bCKqZZY7QCJ0XzkVcULwIeDjCGluVbzreVkUvcqX0QyuaYIF1Wc34zUn7gpLWylpPFEx ZA8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=FSJGxSTx40E2FOYCyYVPSJdxs8R1EpaPtlUB/8BXfUg=; b=0EFx8wBF3gsoo/cyY/9/lFx+mcb//rQboOIgKFeH8dnULsl5N1CPSI8Nn2+b/sHEnP kFqQF3FBoP+JnYbjZm4/ZPhsG5aYMtAf++nJSiJChv8PThHSUPFAqm+MufJsQnVVk9Nh r9MKmVCtNGIxrZfuIqa1nbglhyXjQ1s/xpCdYa8+d9mD/WIt+TGyRFjlOvo9EbpuOWbh pw5uSGgsJ3ySwekBMAFlwhT+0wO9VmNyJB+R5WYtLZ0Op50cI48unjMoHuUrChUMYO+9 GlX8WYx2GRn6Lb/DjnifSFGBLX7igEN1lteE+SM5Ojnzqb40DfPr+2RgViWunhRlSZAM uwMg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=BHO9J8zW; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id c14si879915edw.442.2021.01.20.06.03.40; Wed, 20 Jan 2021 06:03:45 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=BHO9J8zW; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730481AbhATN7k (ORCPT + 16 others); Wed, 20 Jan 2021 08:59:40 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:40002 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389888AbhATN3s (ORCPT ); Wed, 20 Jan 2021 08:29:48 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 7CC07C0613D3 for ; Wed, 20 Jan 2021 05:28:52 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id CCA412A0D7E; Wed, 20 Jan 2021 14:28:51 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl CCA412A0D7E DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611149331; bh=FSJGxSTx40E2FOYCyYVPSJdxs8R1EpaPtlUB/8BXfUg=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=BHO9J8zWWwLv+dMM/RB2ow0lQ9fVmIVtxfw3dsfZhoKZLC+G5jZGpzqeshZmiRCz9 Zq3tZT1KJaFLXLedL1okDUAxJ8drDfnvV5FljGYmZZss7VWwXNGncEi3ZOstaXlkDt 4qpSvnZ9lw19Er47Tr9U5gjLCSHA/WypGuu9PnOo= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc apps and admin patches References: Date: Wed, 20 Jan 2021 14:28:49 +0100 In-Reply-To: (Russell Coker's message of "Wed, 20 Jan 2021 21:12:27 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Patches for apt unattended upgrades and dbus, logrotate certs and samba, > games_t, mplayer/mencoder, and sysadm_t dbus. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210120/policy/modules/admin/apt.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc > +++ refpolicy-2.20210120/policy/modules/admin/apt.fc > @@ -5,6 +5,8 @@ > /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) > +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0) > +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0) > > ifndef(`distro_redhat',` > /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) > @@ -23,5 +25,5 @@ ifndef(`distro_redhat',` > /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) > > /var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0) > - > +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0) > /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0) > Index: refpolicy-2.20210120/policy/modules/admin/apt.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te > +++ refpolicy-2.20210120/policy/modules/admin/apt.te > @@ -155,6 +155,10 @@ optional_policy(` > ') > > optional_policy(` > + networkmanager_dbus_chat(apt_t) > +') > + > +optional_policy(` > nis_use_ypbind(apt_t) > ') > > @@ -169,5 +173,9 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(apt_t) > +') > + > +optional_policy(` > unconfined_domain(apt_t) > ') > Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te > +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te > @@ -186,6 +186,9 @@ ifdef(`distro_debian',` > > dpkg_read_db(bootloader_t) > dpkg_rw_pipes(bootloader_t) > + > + apt_use_fds(bootloader_t) > + apt_use_ptys(bootloader_t) > ') > > ifdef(`distro_redhat',` > Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te > +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te > @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t) > logging_send_audit_msgs(logrotate_t) > logging_exec_all_logs(logrotate_t) > > +miscfiles_read_generic_certs(logrotate_t) > miscfiles_read_localization(logrotate_t) > > seutil_dontaudit_read_config(logrotate_t) > @@ -242,6 +243,7 @@ optional_policy(` > ') > > optional_policy(` > + samba_domtrans_smbcontrol(logrotate_t) > samba_exec_log(logrotate_t) > ') > > Index: refpolicy-2.20210120/policy/modules/apps/games.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/apps/games.te > +++ refpolicy-2.20210120/policy/modules/apps/games.te > @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_ > > can_exec(games_t, games_exec_t) > > +kernel_read_kernel_sysctls(games_t) > kernel_read_system_state(games_t) > > corecmd_exec_bin(games_t) > +corecmd_exec_shell(games_t) > > corenet_all_recvfrom_netlabel(games_t) > corenet_tcp_sendrecv_generic_if(games_t) > @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t) > > logging_dontaudit_search_logs(games_t) > > +miscfiles_read_generic_certs(games_t) > miscfiles_read_man_pages(games_t) > miscfiles_read_localization(games_t) > > @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',` > ') > > optional_policy(` > + alsa_read_config(games_t) > +') > + > +optional_policy(` > dbus_all_session_bus_client(games_t) > dbus_connect_all_session_bus(games_t) > + dbus_read_lib_files(games_t) > + dbus_system_bus_client(games_t) > ') > > optional_policy(` > @@ -175,6 +184,11 @@ optional_policy(` > ') > > optional_policy(` > + xdg_read_config_files(games_t) > + xdg_read_data_files(games_t) > +') > + > +optional_policy(` > xserver_user_x_domain_template(games, games_t, games_tmpfs_t) > xserver_create_xdm_tmp_sockets(games_t) > xserver_read_xdm_lib_files(games_t) > Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if > +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if > @@ -38,7 +38,7 @@ interface(`mplayer_role',` > domtrans_pattern($2, mencoder_exec_t, mencoder_t) > domtrans_pattern($2, mplayer_exec_t, mplayer_t) > > - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms }; > + allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms }; > ps_process_pattern($2, { mplayer_t mencoder_t }) > > allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms }; > Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te > +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te > @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',` > fs_manage_cifs_symlinks(mencoder_t) > ') > > +tunable_policy(`xserver_allow_dri',` > + dev_rw_dri(mplayer_t) > +') > + > ######################################## > # > # Mplayer local policy > # > > -allow mplayer_t self:process { signal_perms getsched }; > +allow mplayer_t self:process { signal_perms getsched setsched }; > allow mplayer_t self:fifo_file rw_fifo_file_perms; > allow mplayer_t self:sem create_sem_perms; > allow mplayer_t self:udp_socket create_socket_perms; > @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm > kernel_dontaudit_list_unlabeled(mplayer_t) > kernel_dontaudit_getattr_unlabeled_files(mplayer_t) > kernel_dontaudit_read_unlabeled_files(mplayer_t) > +kernel_read_crypto_sysctls(mplayer_t) > kernel_read_system_state(mplayer_t) > kernel_read_kernel_sysctls(mplayer_t) > > Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te > @@ -530,6 +530,10 @@ optional_policy(` > ') > > optional_policy(` > + init_dbus_chat(sysadm_t) Can you explain why you added this? > +') > + > +optional_policy(` > inn_admin(sysadm_t, sysadm_r) > ') > > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift