Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp298840pxb; Thu, 21 Jan 2021 07:24:38 -0800 (PST) X-Google-Smtp-Source: ABdhPJyFsoC/afHcPuQvIF5imqX9Y3Ph+B0lRDQBmo/3603Py8JM35xGvYEolyiv2ojQzlUMT/bD X-Received: by 2002:a05:6402:3192:: with SMTP id di18mr11169730edb.332.1611242678582; Thu, 21 Jan 2021 07:24:38 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611242678; cv=none; d=google.com; s=arc-20160816; b=JNPaf+z9TdjIWgsH4z2m9Q2/z26jF6A5d/AQeYQG6bOqccaeGnFT8TZQFVR1ukSDI1 5omz0YNLPGQ0LMBKcVdxro+euXnHSbF7tBkTYYmifPX8p5QRpDTwcjRdnmEVhLe8xCSi JJhZcy7SHg3dcYpisl/yYo0Ykekz1MGjWKOym2CMquzRhIhyF45iDfMHfYD3OL917tnJ ELstC/0mva2ENInP1ki6rJxroIVg2mU4RzU09A1wswmhswLa/YxZKpZ9451VhnzdM2gy v0QPYeeUU28qo0b52EfHAERV8VvegvNeIHvB8sMIZ29wyB/Bm31YavTzD4wK1IPvUoYa InfA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=jnTNABbIYbkrnXtCsesHAvfeFSVQ99MtaPc2UHeQI3I=; b=zOj5JVtvskClOGMOESm4pB7LHezXi4apHSVbrFT5nauB2N5qDm6sr9kUWOCIzdHusC y1Nj3sRrz7Om4xeau+mj+eSHFTWzc0B+vTH2IKQcRyVBM4Pkxo1GRFTePFckF8slnbqi 6rh8mjYFey73W9TFGlAPBoXcaaPsdV6iyoOEMFdGd3+SdVB2CHB+p6HFZrPOGg48cHZK 89HvqaaxbQ3vHvXBQ9D1lmz3EBux8KFGjJVB7rhsfVyi6lhPu4q6/l/W4iykmfmTn68k RPpD1XUGlPfbM2VBqWPt/IjCrpawiMDUN7/Yl5n/TzWM36I8g+rs87uVGBhTUYT1raVV 1Xjg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=vGroZchn; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id p18si1883811edx.541.2021.01.21.07.24.33; Thu, 21 Jan 2021 07:24:38 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=vGroZchn; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730427AbhAUPX5 (ORCPT + 16 others); Thu, 21 Jan 2021 10:23:57 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:52636 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1732226AbhAUN0N (ORCPT ); Thu, 21 Jan 2021 08:26:13 -0500 Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 3558A16AE1; Fri, 22 Jan 2021 00:25:13 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611235516; bh=jnTNABbIYbkrnXtCsesHAvfeFSVQ99MtaPc2UHeQI3I=; l=4479; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=vGroZchnjyEPZcMPXMSiyUlsVvrJV8UFGc3ZCTQQGRw4LBaGK1sgXzIa9wlh2OHQr TrCIR/qKDAapeXYmjF23cl3YaY7fyHstDNqjtH1ugNxVlDrX0PxKQKt/z12nnxfoxd I1ZheGB9/ydHnyNBnSz8ARICwxUwgwAkhiWz/98Q= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc services patches Date: Fri, 22 Jan 2021 00:25:10 +1100 Message-ID: <1730727.gRP4Mpsj7r@liv> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote: > > /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_ > > t,s0) > > /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)> > > +/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0 > > ) > > that seems fragile. would probably have used "/usr/sbin/php.*-fpm" OK, I'll change that. > > +interface(`apache_delete_squirrelmail_spool',` > > + gen_require(` > > + type squirrelmail_spool_t; > > + ') > > + > > + allow $1 squirrelmail_spool_t:dir rw_dir_perms; > > + allow $1 squirrelmail_spool_t:file delete_file_perms; > > delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t) OK. > > tunable_policy(`httpd_enable_homedirs',` > > > > - userdom_search_user_home_dirs(httpd_t) > > + userdom_list_user_home_content(httpd_t) > > this is not how it was designed. If you want that functionality then set > httpd_read_user_content boolean to true instead OK, I'll delete that patch and do it a better way next time I see a case for it. > > allow cupsd_t self:process { getpgid setpgid setsched signal_perms }; > > allow cupsd_t self:fifo_file rw_fifo_file_perms; > > allow cupsd_t self:unix_stream_socket { accept connectto listen }; > > allow cupsd_t self:netlink_selinux_socket create_socket_perms; > > > > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create > > > > getattr read setopt }; > > create_socket_perms, use the permission sets and patterns where appropriate ok > > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te > > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te > > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_ > > > > allow l2tpd_t self:tcp_socket { accept listen }; > > allow l2tpd_t self:unix_dgram_socket sendto; > > allow l2tpd_t self:unix_stream_socket { accept listen }; > > > > +allow l2tpd_t self:pppox_socket create; > > create_socket_perms probably eventually Maybe, but for the moment I think it's best to leave them like that. I had it working fully only needing those accesses. > > @@ -59,7 +59,7 @@ interface(`mysql_signal',` > > > > type mysqld_t; > > > > ') > > > > - allow $1 mysqld_t:process signal; > > + allow $1 mysqld_t:process { signull signal }; > > create a new mysql_signull() > > by generalizing interfaces and putting them out of context youre > shutting down doors for fine grained access control. OK, I'll drop that patch and add a mysql_signull() next time I see the need for it (probably a week or two). > > optional_policy(` > > > > + dbus_send_system_bus(smbd_t) > > + dbus_system_bus_client(smbd_t) > > dbus_send_system_bus(smbd_t) is redundant (already implied with > dbus_system_bus_client(smbd_t) ok > > Index: refpolicy-2.20210120/policy/modules/services/squid.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te > > +++ refpolicy-2.20210120/policy/modules/services/squid.te > > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive }; > > > > allow squid_t self:unix_dgram_socket sendto; > > allow squid_t self:unix_stream_socket { accept connectto listen }; > > allow squid_t self:tcp_socket { accept listen }; > > > > +allow squid_t self:netlink_netfilter_socket > > all_netlink_netfilter_socket_perms; > > probably just create_socket_perms? OK. > > Index: refpolicy-2.20210120/policy/modules/services/ssh.te > > =================================================================== > > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te > > +++ refpolicy-2.20210120/policy/modules/services/ssh.te > > @@ -268,6 +268,7 @@ ifdef(`init_systemd',` > > > > init_dbus_chat(sshd_t) > > systemd_dbus_chat_logind(sshd_t) > > init_rw_stream_sockets(sshd_t) > > > > + systemd_read_logind_sessions_files(sshd_t) > > This should probably be addressed on the lower authlogin level instead auth_login_pgm_domain()? In another patch I have systemd_connect_machined(sshd_t) which I guess should go in the same one too. Thanks for all the suggestions. I'll send an updated version shortly. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/