Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp328747pxb; Wed, 27 Jan 2021 08:39:36 -0800 (PST) X-Google-Smtp-Source: ABdhPJxn1VAERu1iJ/RJckK8gkwgn/ZELJRtG9IdaeoCDEmSBAMhD4wb3tRuWDD4Qu+vuYT5nDDe X-Received: by 2002:a17:906:1308:: with SMTP id w8mr7340698ejb.396.1611765576090; Wed, 27 Jan 2021 08:39:36 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611765576; cv=none; d=google.com; s=arc-20160816; b=MwEjOyjG/LlTrAAgDLHxKZg/MioxZIblw9afcsI7xMJLhWfg2mFZWLfld3gJTckIyi kqY3b7+5r6NGAmfOyF2eGPpj31KE5+Q1cZLLTcfPSS+BEvt8yu8wAwstVslLGrcjjhkt f6WZDeneqqGT4HQIqOsnpVm50lieYOZDFZDvk3m4JTCEbdN/d3e3WSpY3e0adlxc0YpQ KBCKec0Kb0ltWq4YYwaK6fya5+TALUVnbivovoLhxhgdLsVheJcO/pEBE/ra2G3stRf/ 1lkO7+Sydtn25yVnHDzLtS2jVz/KtGZRWwxZkFkR4tiwXcNmlSB6XJi7G8aj1qnSMkBL xHlQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=cHFgWiNN47Q/aHyM1DYV8BpPtwHaDAUIL+6y+D644Rg=; b=QG4rOWNLWC3VfjH8Mi3YZ6XZKfVRfYspKieC7vzEijRPfjYld119vPC4n+fI8dhWlH 3mzaTIXuaBfH8gu4VnfwX/g0LHUhO+M0xV9G0U8uL8fuJ54jh3wWRW13JHCme5zt8e7J ChRnVyAJkIRe1pqsL60PUx/2YxjRmkiIyttyDqpZdBzNL/Hz2uL4aGjbdh3DDy6GdOls nmo8NYnmjJTQ3XWamNUwod7v1SGqhWZ33pTyLPLMU+rOWXa0/GA2dTqKl8msWtSocCuh Ti2WFc0LZHlrSL9D2X/ytpopxCU0LPNNPS/gYhK0ksJ7YZC8zaLtYk0IqkACAIcqmT24 hDKA== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=K3x5QOze; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id q26si1240658edt.415.2021.01.27.08.39.29; Wed, 27 Jan 2021 08:39:36 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=K3x5QOze; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235202AbhA0QiA (ORCPT + 16 others); Wed, 27 Jan 2021 11:38:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231635AbhA0Qg2 (ORCPT ); Wed, 27 Jan 2021 11:36:28 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 389D1C0613ED for ; Wed, 27 Jan 2021 08:35:42 -0800 (PST) Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 98EC1139D0; Thu, 28 Jan 2021 03:35:38 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611765339; bh=cHFgWiNN47Q/aHyM1DYV8BpPtwHaDAUIL+6y+D644Rg=; l=1638; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K3x5QOzemZTmEaVSgL+P97zvtMAPgC7d4aqGZ7auvk6JmPyusga1IPoMn0c8qJyma dtN6FHLerObx+BiMvU/3Iynz+s5nBFn+3YvjHZ/axUVcp46uWwHh7PG7jt6q8SIRwR lwOs7JdpxCEtuP7lkpUeXC9nI+FVOP2xJ8sT+eoI= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc network patches with Dominick's changes Date: Thu, 28 Jan 2021 03:35:33 +1100 Message-ID: <3290098.uLzDavUzRi@liv> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 28 January 2021 12:29:16 AM AEDT Dominick Grift wrote: > > Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > > =================================================================== > > --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc > > +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > > > > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > > > > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) > > minor but bet to escape the period: /etc/tor/torsocks\.conf OK fixed that. > not sure why you associate this with net_conf_t. I probably would have > labeled all of /etc/tor tor_conf_t (for confined tor administration etc) Because other programs that want to use tor look at it for information on how to connect to tor via socks. > > Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te > > =================================================================== > > --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te > > +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te > > @@ -25,6 +25,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + netutils_domtrans_ping(user_t) > > +') > > this is already allowed conditionally as said before. you should be able > to remove this. OK, removed that. I'll send another patch now. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/