Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp314561pxb; Wed, 20 Jan 2021 07:40:17 -0800 (PST) X-Google-Smtp-Source: ABdhPJxFlEHFgnchttdefDMtjA/X1gjK67JG4ZHp2LpjXtSm0d5qH91fXxaSMxPhqPHSGP359Lg5 X-Received: by 2002:a17:906:1dc2:: with SMTP id v2mr1774129ejh.136.1611157217649; Wed, 20 Jan 2021 07:40:17 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611157217; cv=none; d=google.com; s=arc-20160816; b=IGKv3El1MQTiR1sHy1G04yISxqI/Temsq8cMd9+0x9rdjkMPxco9PmQ1CvLuIsfDgN HTDf2VagvwEIozhsofC2OJ5mDVKij6UtlUF1BL3GD+koqClvrK/UhbuMmhluLF0mYrfi QF/mT0YcMQrZBB47GPzRxkz0jadf67e+jNfNq7cyrve6XJhpnlHB10wQ4Mch7X5zX0cE XV/J6XDG/dApNMvpDH0r2dzShJCQM3oq2j9WUFrgyHn6/xWo05ieRNi6U8iv0NEKdPcZ tBFk4sKXGAoZwdeDAN45vli3v39TWF7AuDccT5QQEZ3LT6b3tRITxe8k5AbjD5gQXr6W bNUg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=4rZ/gOzkLG7w40KpsX7zXoapvMZPb37paAn3cuhSb2U=; b=e63a9tIpp1mGxRwvBlwuOP6VBWB3Snag76KW3xJZZStjEaduEutZ3K1f2K1LkidDxZ GGE0UTA9q+/uggksjzXAdvu22ueYLJ0L/e918bK/ItLzJNv79YIlrjfDA84XjeWGrlQm ozfDVWSHJY0sT7OhpCVr4NHQRE/Cqc0GYO//wf17drBr0BLhlTV7PpKDW9fvjbkhS3XK TEyK9WrPnLA9hvMDEV0QESTDf4yQETO7qMlTUzEUBd8Gn3oKBPaz7Xz5UZICi3aWeE1D 7Oym42H9yHVwStkKd/cFVNCCjgeN2KPQOz+X909cDu3gBA6e7VZGtGT6xi5ZSEl3Q8zJ Jk1Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=UR4u0HJQ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j4si970410edn.609.2021.01.20.07.40.12; Wed, 20 Jan 2021 07:40:17 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=UR4u0HJQ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732625AbhATPjE (ORCPT + 16 others); Wed, 20 Jan 2021 10:39:04 -0500 Received: from agnus.defensec.nl ([80.100.19.56]:35030 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2389717AbhATOyd (ORCPT ); Wed, 20 Jan 2021 09:54:33 -0500 Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id DA04D2A1250; Wed, 20 Jan 2021 15:53:47 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl DA04D2A1250 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1611154428; bh=4rZ/gOzkLG7w40KpsX7zXoapvMZPb37paAn3cuhSb2U=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=UR4u0HJQSMfUpKhJDxdBm0ebZPJ56cnxPArgJjsoSgAloX1YNSjZKe0rfBREYTwJM ZBneOf36yDHiVvQXr+f5pspFAIG6MqlPGzrPAgu1WZlSSX7xRC4cpubFbdt2+X71J6 D9ej7Sp4H+uYH/6/052mkx8bnkJ1Ik+FJKf8g2TU= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc services patches References: Date: Wed, 20 Jan 2021 15:53:44 +0100 In-Reply-To: (Russell Coker's message of "Wed, 20 Jan 2021 21:08:43 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > Misc patches for services policy, ready to merge. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210120/policy/modules/services/apache.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc > +++ refpolicy-2.20210120/policy/modules/services/apache.fc > @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.* > /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0) > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0) > /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0) > +/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0) that seems fragile. would probably have used "/usr/sbin/php.*-fpm" > +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0) > > ifdef(`distro_suse',` > /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0) > @@ -144,7 +146,7 @@ ifdef(`distro_suse',` > /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) > /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0) > -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) > +/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0) > /var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0) > /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > @@ -170,6 +172,7 @@ ifdef(`distro_suse',` > /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0) > /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > +/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0) > > /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0) > /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0) > @@ -178,6 +181,7 @@ ifdef(`distro_suse',` > /run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0) > /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) > /run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0) > +/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0) > /run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0) > /run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0) > > Index: refpolicy-2.20210120/policy/modules/services/apache.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/apache.if > +++ refpolicy-2.20210120/policy/modules/services/apache.if > @@ -71,6 +71,7 @@ template(`apache_content_template',` > > manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > + allow httpd_$1_script_t httpd_$1_rw_content_t:file map; > manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t) > @@ -97,6 +98,8 @@ template(`apache_content_template',` > > tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',` > filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file }) > + allow httpd_t httpd_$1_content_t:file map; > + allow httpd_t httpd_$1_rw_content_t:file map; > ') > ') > > @@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content' > apache_search_sys_content($1) > manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) > manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t) > + allow $1 httpd_sys_rw_content_t:file map; > manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t) > ') > > @@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da > ') > > ######################################## > +## > +## delete httpd squirrelmail spool files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`apache_delete_squirrelmail_spool',` > + gen_require(` > + type squirrelmail_spool_t; > + ') > + > + allow $1 squirrelmail_spool_t:dir rw_dir_perms; > + allow $1 squirrelmail_spool_t:file delete_file_perms; delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) > +') > + > +######################################## > ## > ## Search httpd system content. > ## > Index: refpolicy-2.20210120/policy/modules/services/apache.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/apache.te > +++ refpolicy-2.20210120/policy/modules/services/apache.te > @@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache > manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) > manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t) > files_var_filetrans(httpd_t, httpd_cache_t, dir) > +allow httpd_t httpd_cache_t:file map; > > allow httpd_t httpd_config_t:dir list_dir_perms; > read_files_pattern(httpd_t, httpd_config_t, httpd_config_t) > @@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co > allow httpd_t httpd_htaccess_type:file read_file_perms; > > allow httpd_t httpd_ro_content:dir list_dir_perms; > -allow httpd_t httpd_ro_content:file read_file_perms; > +allow httpd_t httpd_ro_content:file { map read_file_perms }; > allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms; > > allow httpd_t httpd_keytab_t:file read_file_perms; > @@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process > manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) > manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) > manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t) > +allow httpd_t httpd_squirrelmail_t:file map; > > allow httpd_t httpd_suexec_exec_t:file read_file_perms; > > @@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process > > manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) > manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) > +allow httpd_t httpd_tmp_t:file map; > manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) > manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t) > files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file }) > @@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_ > > manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) > manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) > +allow httpd_t httpd_var_lib_t:file map; > manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t) > files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file }) > > @@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo > domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t) > > kernel_read_kernel_sysctls(httpd_t) > +kernel_read_crypto_sysctls(httpd_t) > kernel_read_vm_sysctls(httpd_t) > kernel_read_vm_overcommit_sysctl(httpd_t) > kernel_read_network_state(httpd_t) > @@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t) > dev_read_rand(httpd_t) > dev_read_urand(httpd_t) > dev_rw_crypto(httpd_t) > +dev_rwx_zero(httpd_t) > > domain_use_interactive_fds(httpd_t) > > @@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t) > > fs_read_anon_inodefs_files(httpd_t) > fs_rw_inherited_hugetlbfs_files(httpd_t) > +fs_mmap_rw_hugetlbfs_files(httpd_t) > fs_read_iso9660_files(httpd_t) > > files_dontaudit_getattr_all_runtime_files(httpd_t) > files_read_usr_files(httpd_t) > +files_map_usr_files(httpd_t) > files_list_mnt(httpd_t) > files_search_spool(httpd_t) > files_read_var_symlinks(httpd_t) > @@ -504,6 +512,7 @@ files_search_home(httpd_t) > files_getattr_home_dir(httpd_t) > files_read_etc_runtime_files(httpd_t) > files_read_var_lib_symlinks(httpd_t) > +files_map_etc_files(httpd_t) > > auth_use_nsswitch(httpd_t) > > @@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting' > exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type) > > allow httpd_t httpdcontent:dir list_dir_perms; > - allow httpd_t httpdcontent:file read_file_perms; > + allow httpd_t httpdcontent:file { map read_file_perms }; > allow httpd_t httpdcontent:lnk_file read_lnk_file_perms; > > allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms }; > @@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http > > manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent) > manage_files_pattern(httpd_t, httpdcontent, httpdcontent) > + allow httpd_t httpdcontent:file map; > manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent) > manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent) > manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent) > @@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server' > ') > > tunable_policy(`httpd_enable_homedirs',` > - userdom_search_user_home_dirs(httpd_t) > + userdom_list_user_home_content(httpd_t) this is not how it was designed. If you want that functionality then set httpd_read_user_content boolean to true instead > ') > > tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',` > @@ -903,6 +913,7 @@ optional_policy(` > # > > read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t) > +allow httpd_t httpd_config_t:file map; > > append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) > read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t) > Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc > +++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc > @@ -2,12 +2,15 @@ > > /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0) > > -/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0) > +/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0) > > +/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) > /run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0) > > +/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) > /var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0) > > /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0) > > +/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) > /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0) > Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if > +++ refpolicy-2.20210120/policy/modules/services/aptcacher.if > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',` > files_search_runtime($1) > stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) > ') > + > +###################################### > +## > +## read aptcacher config > +## > +## > +## > +## Domain allowed to read it. > +## > +## > +# > +interface(`aptcacher_read_config',` > + gen_require(` > + type aptcacher_etc_t; > + ') > + > + files_search_etc($1) > + allow $1 aptcacher_etc_t:dir list_dir_perms; > + allow $1 aptcacher_etc_t:file mmap_read_file_perms; > +') > Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te > +++ refpolicy-2.20210120/policy/modules/services/aptcacher.te > @@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_ > > auth_use_nsswitch(aptcacher_t) > > +files_read_etc_files(aptcacher_t) > + > # Uses sd_notify() to inform systemd it has properly started > init_dgram_send(aptcacher_t) > > Index: refpolicy-2.20210120/policy/modules/services/bind.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/bind.te > +++ refpolicy-2.20210120/policy/modules/services/bind.te > @@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t) > > files_read_etc_runtime_files(named_t) > files_read_usr_files(named_t) > +files_map_usr_files(named_t) > > fs_getattr_all_fs(named_t) > fs_search_auto_mountpoints(named_t) > Index: refpolicy-2.20210120/policy/modules/services/colord.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/colord.te > +++ refpolicy-2.20210120/policy/modules/services/colord.te > @@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve > allow colord_t self:tcp_socket { accept listen }; > allow colord_t self:shm create_shm_perms; > > +can_exec(colord_t, colord_exec_t) > + > manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t) > manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t) > files_tmp_filetrans(colord_t, colord_tmp_t, { file dir }) > @@ -128,6 +130,10 @@ optional_policy(` > ') > > optional_policy(` > + snmp_read_snmp_var_lib_files(colord_t) > +') > + > +optional_policy(` > sysnet_exec_ifconfig(colord_t) > ') > > @@ -136,6 +142,10 @@ optional_policy(` > ') > > optional_policy(` > + unconfined_dbus_send(colord_t) > +') > + > +optional_policy(` > xserver_read_xdm_lib_files(colord_t) > xserver_use_xdm_fds(colord_t) > ') > Index: refpolicy-2.20210120/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/cron.te > +++ refpolicy-2.20210120/policy/modules/services/cron.te > @@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t) > init_get_generic_units_status(system_cronjob_t) > init_get_system_status(system_cronjob_t) > > +backup_manage_store_files(system_cronjob_t) > + > auth_manage_var_auth(crond_t) > auth_use_pam(crond_t) > > @@ -340,6 +342,11 @@ ifdef(`distro_debian',` > ') > > optional_policy(` > + aptcacher_read_config(system_cronjob_t) > + corenet_tcp_connect_aptcacher_port(system_cronjob_t) > + ') > + > + optional_policy(` > logwatch_search_cache_dir(crond_t) > ') > ') > @@ -435,6 +442,7 @@ optional_policy(` > init_dbus_chat(crond_t) > init_dbus_chat(system_cronjob_t) > systemd_dbus_chat_logind(system_cronjob_t) > + systemd_read_journal_files(system_cronjob_t) > systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > # so cron jobs can restart daemons > init_stream_connect(system_cronjob_t) > @@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c > corenet_udp_sendrecv_generic_if(system_cronjob_t) > corenet_tcp_sendrecv_generic_node(system_cronjob_t) > corenet_udp_sendrecv_generic_node(system_cronjob_t) > +corenet_udp_bind_generic_node(system_cronjob_t) > > dev_getattr_all_blk_files(system_cronjob_t) > dev_getattr_all_chr_files(system_cronjob_t) > @@ -587,6 +596,7 @@ optional_policy(` > apache_read_log(system_cronjob_t) > apache_read_sys_content(system_cronjob_t) > apache_delete_lib_files(system_cronjob_t) > + apache_delete_squirrelmail_spool(system_cronjob_t) > ') > > optional_policy(` > @@ -659,6 +669,8 @@ optional_policy(` > > optional_policy(` > spamassassin_manage_lib_files(system_cronjob_t) > + spamassassin_status(system_cronjob_t) > + spamassassin_reload(system_cronjob_t) > ') > > optional_policy(` > Index: refpolicy-2.20210120/policy/modules/services/cups.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/cups.te > +++ refpolicy-2.20210120/policy/modules/services/cups.te > @@ -111,11 +111,12 @@ ifdef(`enable_mls',` > > allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config }; > dontaudit cupsd_t self:capability { net_admin sys_tty_config }; > -allow cupsd_t self:capability2 block_suspend; > +allow cupsd_t self:capability2 { block_suspend wake_alarm }; > allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; > allow cupsd_t self:fifo_file rw_fifo_file_perms; > allow cupsd_t self:unix_stream_socket { accept connectto listen }; > allow cupsd_t self:netlink_selinux_socket create_socket_perms; > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create > getattr read setopt }; create_socket_perms, use the permission sets and patterns where appropriate > allow cupsd_t self:shm create_shm_perms; > allow cupsd_t self:sem create_sem_perms; > allow cupsd_t self:tcp_socket { accept listen }; > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t) > > libs_read_lib_files(cupsd_t) > libs_exec_lib_files(cupsd_t) > +libs_legacy_use_ld_so(cupsd_t) > > logging_send_audit_msgs(cupsd_t) > logging_send_syslog_msg(cupsd_t) > Index: refpolicy-2.20210120/policy/modules/services/devicekit.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te > +++ refpolicy-2.20210120/policy/modules/services/devicekit.te > @@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t) > fs_unmount_all_fs(devicekit_disk_t) > fs_search_all(devicekit_disk_t) > > +mount_rw_runtime_files(devicekit_disk_t) > + > mls_file_read_all_levels(devicekit_disk_t) > mls_file_write_to_clearance(devicekit_disk_t) > > Index: refpolicy-2.20210120/policy/modules/services/entropyd.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te > +++ refpolicy-2.20210120/policy/modules/services/entropyd.te > @@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t) > > fs_getattr_all_fs(entropyd_t) > fs_search_auto_mountpoints(entropyd_t) > +fs_search_tmpfs(entropyd_t) > > domain_use_interactive_fds(entropyd_t) > > Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te > +++ refpolicy-2.20210120/policy/modules/services/fail2ban.te > @@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba > files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file) > > kernel_read_system_state(fail2ban_t) > +kernel_search_fs_sysctls(fail2ban_t) > > corecmd_exec_bin(fail2ban_t) > corecmd_exec_shell(fail2ban_t) > @@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t) > auth_use_nsswitch(fail2ban_t) > > logging_read_all_logs(fail2ban_t) > +logging_read_audit_log(fail2ban_t) > logging_send_syslog_msg(fail2ban_t) > > miscfiles_read_localization(fail2ban_t) > Index: refpolicy-2.20210120/policy/modules/services/jabber.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/jabber.te > +++ refpolicy-2.20210120/policy/modules/services/jabber.te > @@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t) > # usr for lua modules > files_read_usr_files(jabberd_t) > > +files_search_var_lib(jabberd_t) > + > fs_search_auto_mountpoints(jabberd_t) > > +miscfiles_read_generic_tls_privkey(jabberd_t) > miscfiles_read_all_certs(jabberd_t) > > sysnet_read_config(jabberd_t) > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_ > allow l2tpd_t self:tcp_socket { accept listen }; > allow l2tpd_t self:unix_dgram_socket sendto; > allow l2tpd_t self:unix_stream_socket { accept listen }; > +allow l2tpd_t self:pppox_socket create; create_socket_perms probably eventually > > read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t) > > Index: refpolicy-2.20210120/policy/modules/services/mon.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mon.te > +++ refpolicy-2.20210120/policy/modules/services/mon.te > @@ -150,6 +150,10 @@ optional_policy(` > bind_read_zone(mon_net_test_t) > ') > > +optional_policy(` > + mysql_stream_connect(mon_net_test_t) > +') > + > ######################################## > # > # Local policy > @@ -159,7 +163,8 @@ optional_policy(` > # try not to use dontaudit rules for this > # > > -allow mon_local_test_t self:capability sys_admin; > +# sys_ptrace is for reading /proc/1/maps etc > +allow mon_local_test_t self:capability { sys_ptrace sys_admin }; > allow mon_local_test_t self:fifo_file rw_fifo_file_perms; > allow mon_local_test_t self:process getsched; > > Index: refpolicy-2.20210120/policy/modules/services/mysql.fc > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc > +++ refpolicy-2.20210120/policy/modules/services/mysql.fc > @@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system > /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0) > /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0) > /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) > +/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0) > > /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) > /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) > Index: refpolicy-2.20210120/policy/modules/services/mysql.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mysql.if > +++ refpolicy-2.20210120/policy/modules/services/mysql.if > @@ -59,7 +59,7 @@ interface(`mysql_signal',` > type mysqld_t; > ') > > - allow $1 mysqld_t:process signal; > + allow $1 mysqld_t:process { signull signal }; create a new mysql_signull() by generalizing interfaces and putting them out of context youre shutting down doors for fine grained access control. > ') > > ######################################## > Index: refpolicy-2.20210120/policy/modules/services/mysql.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/mysql.te > +++ refpolicy-2.20210120/policy/modules/services/mysql.te > @@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime > # Local policy > # > > -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource }; > +allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource }; > dontaudit mysqld_t self:capability sys_tty_config; > allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; > allow mysqld_t self:fifo_file rw_fifo_file_perms; > @@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept > > manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) > manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) > +allow mysqld_t mysqld_db_t:file map; > manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) > files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file }) > > @@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l > > manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) > manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t) > +allow mysqld_t mysqld_tmp_t:file map; > files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir }) > > manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t) > @@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t) > kernel_read_network_state(mysqld_t) > kernel_read_system_state(mysqld_t) > kernel_read_vm_sysctls(mysqld_t) > +kernel_read_vm_overcommit_sysctl(mysqld_t) > > corenet_all_recvfrom_netlabel(mysqld_t) > corenet_tcp_sendrecv_generic_if(mysqld_t) > @@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t) > > fs_getattr_all_fs(mysqld_t) > fs_search_auto_mountpoints(mysqld_t) > +fs_search_tmpfs(mysqld_t) > fs_rw_hugetlbfs_files(mysqld_t) > > files_read_etc_runtime_files(mysqld_t) > @@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t) > > logging_send_syslog_msg(mysqld_t) > > +miscfiles_read_generic_certs(mysqld_t) > miscfiles_read_localization(mysqld_t) > > userdom_search_user_home_dirs(mysqld_t) > Index: refpolicy-2.20210120/policy/modules/services/openvpn.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te > +++ refpolicy-2.20210120/policy/modules/services/openvpn.te > @@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t) > > auth_use_pam(openvpn_t) > > +init_read_state(openvpn_t) > + > miscfiles_read_localization(openvpn_t) > miscfiles_read_all_certs(openvpn_t) > > @@ -163,6 +165,10 @@ optional_policy(` > ') > > optional_policy(` > + dpkg_script_rw_inherited_pipes(openvpn_t) > +') > + > +optional_policy(` > dbus_system_bus_client(openvpn_t) > dbus_connect_system_bus(openvpn_t) > > @@ -174,3 +180,7 @@ optional_policy(` > optional_policy(` > systemd_use_passwd_agent(openvpn_t) > ') > + > +optional_policy(` > + unconfined_use_fds(openvpn_t) > +') > Index: refpolicy-2.20210120/policy/modules/services/postgrey.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te > +++ refpolicy-2.20210120/policy/modules/services/postgrey.te > @@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po > manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t) > > manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t) > +allow postgrey_t postgrey_var_lib_t:file map; > files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file) > > manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t) > Index: refpolicy-2.20210120/policy/modules/services/rpc.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/rpc.te > +++ refpolicy-2.20210120/policy/modules/services/rpc.te > @@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir > > kernel_read_network_state(nfsd_t) > kernel_dontaudit_getattr_core_if(nfsd_t) > +kernel_search_debugfs(nfsd_t) > kernel_setsched(nfsd_t) > kernel_request_load_module(nfsd_t) > # kernel_mounton_proc(nfsd_t) > Index: refpolicy-2.20210120/policy/modules/services/samba.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/samba.te > +++ refpolicy-2.20210120/policy/modules/services/samba.te > @@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t) > > allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice }; > allow samba_net_t self:capability2 block_suspend; > -allow samba_net_t self:process { getsched setsched }; > +allow samba_net_t self:process { sigkill getsched setsched }; > allow samba_net_t self:unix_stream_socket { accept listen }; > +allow samba_net_t self:fifo_file rw_file_perms; > > allow samba_net_t samba_etc_t:file read_file_perms; > > +allow samba_net_t samba_var_run_t:file { map read_file_perms }; > + > manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t) > filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file) > > @@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n > > manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t) > manage_files_pattern(samba_net_t, samba_var_t, samba_var_t) > +allow samba_net_t samba_var_t:file map; > manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t) > files_var_filetrans(samba_net_t, samba_var_t, dir, "samba") > > @@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem { > > manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t) > manage_files_pattern(smbd_t, samba_var_t, samba_var_t) > +allow smbd_t samba_var_t:file map; > manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t) > manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t) > files_var_filetrans(smbd_t, samba_var_t, dir, "samba") > @@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t, > > manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t) > manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) > +allow smbd_t samba_runtime_t:file map; > manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t) > files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file }) > > @@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file > stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t) > > stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t) > +allow smbd_t nmbd_t:unix_dgram_socket sendto; > > kernel_getattr_core_if(smbd_t) > kernel_getattr_message_if(smbd_t) > @@ -480,6 +487,11 @@ optional_policy(` > ') > > optional_policy(` > + dbus_send_system_bus(smbd_t) > + dbus_system_bus_client(smbd_t) dbus_send_system_bus(smbd_t) is redundant (already implied with dbus_system_bus_client(smbd_t) > +') > + > +optional_policy(` > kerberos_read_keytab(smbd_t) > kerberos_use(smbd_t) > ') > @@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a > > manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) > manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) > +allow nmbd_t samba_runtime_t:file map; > manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t) > files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file }) > > @@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t > setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t) > > manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) > -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t) > +allow nmbd_t samba_var_t:file map; > manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t) > manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t) > files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd") > @@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal > > allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull }; > read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t) > +allow smbcontrol_t samba_runtime_t:dir rw_dir_perms; > +init_use_fds(smbcontrol_t) > > manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t) > > Index: refpolicy-2.20210120/policy/modules/services/smartmon.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te > +++ refpolicy-2.20210120/policy/modules/services/smartmon.te > @@ -38,7 +38,7 @@ ifdef(`enable_mls',` > # Local policy > # > > -allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio }; > +allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio }; > dontaudit fsdaemon_t self:capability sys_tty_config; > allow fsdaemon_t self:process { getcap setcap signal_perms }; > allow fsdaemon_t self:fifo_file rw_fifo_file_perms; > Index: refpolicy-2.20210120/policy/modules/services/squid.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te > +++ refpolicy-2.20210120/policy/modules/services/squid.te > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; > allow squid_t self:unix_dgram_socket sendto; > allow squid_t self:unix_stream_socket { accept connectto listen }; > allow squid_t self:tcp_socket { accept listen }; > +allow squid_t self:netlink_netfilter_socket > all_netlink_netfilter_socket_perms; probably just create_socket_perms? > > manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t) > manage_files_pattern(squid_t, squid_cache_t, squid_cache_t) > @@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_ > files_tmp_filetrans(squid_t, squid_tmp_t, { file dir }) > > manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t) > +allow squid_t squid_tmpfs_t:file map; > fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file) > > manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t) > Index: refpolicy-2.20210120/policy/modules/services/ssh.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te > +++ refpolicy-2.20210120/policy/modules/services/ssh.te > @@ -268,6 +268,7 @@ ifdef(`init_systemd',` > init_dbus_chat(sshd_t) > systemd_dbus_chat_logind(sshd_t) > init_rw_stream_sockets(sshd_t) > + systemd_read_logind_sessions_files(sshd_t) This should probably be addressed on the lower authlogin level instead > ') > > tunable_policy(`ssh_sysadm_login',` > Index: refpolicy-2.20210120/policy/modules/services/tor.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/tor.te > +++ refpolicy-2.20210120/policy/modules/services/tor.te > @@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti > kernel_read_kernel_sysctls(tor_t) > kernel_read_net_sysctls(tor_t) > kernel_read_system_state(tor_t) > +kernel_read_vm_overcommit_sysctl(tor_t) > > corenet_all_recvfrom_netlabel(tor_t) > corenet_tcp_sendrecv_generic_if(tor_t) > Index: refpolicy-2.20210120/policy/modules/services/watchdog.te > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te > +++ refpolicy-2.20210120/policy/modules/services/watchdog.te > @@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t) > > logging_send_syslog_msg(watchdog_t) > > +mcs_killall(watchdog_t) > + > miscfiles_read_localization(watchdog_t) > > sysnet_dns_name_resolve(watchdog_t) > Index: refpolicy-2.20210120/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20210120/policy/modules/services/xserver.if > @@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache' > > rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t) > + allow $1 mesa_shader_cache_t:file map; > xdg_search_cache_dirs($1) > ') > > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift