Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp1959009pxb; Fri, 29 Jan 2021 09:18:58 -0800 (PST) X-Google-Smtp-Source: ABdhPJxDYMPr5BDf+czzi7Nw3dP34rs13hZ5EC1Sm38UKQfKu7rklEHpg769PKIn47+CktFPfhsO X-Received: by 2002:a50:cf02:: with SMTP id c2mr6213837edk.333.1611940738157; Fri, 29 Jan 2021 09:18:58 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611940738; cv=none; d=google.com; s=arc-20160816; b=EqY82fFWZ+0+aoFgFXdg3QKjOBTYpTOeu/hvAq2rOBNnDrRre3EK4b9ymrWT2al33C aaRZTGZIwX0Tro4eq5BJulUwHyPIm9kfAfU64zY0CyjwzGGOHglMPEkS9H5s2mNykp8R mb4svZQgLpxn5NZ2w+F33Ir1SWtYwlbNgDEHxw0FOMND4zwrRAqipA0NZI5awyAYAvmo vxnxE6NvoFuqi6L4JBOg8VMXl3mvffg/pT56fLLmLywoH90G9kMBFvjfoWQIl1aStGk0 Dvg7CCtPhlupBeR5k7v1AXDCtwkWq1GdvxJLgDHbKQp+pYRl1P5j1ynxpQ9QlTbLCJ7O qtEQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=c54XRgI3YSoDo9Bvu6FeMy5IstW92Uo/cvGkt/CPla0=; b=qTWvRbyregKz+uk01cu2EGuQqKk+dLVkITZQNswEdXqecII7DgAtC75ELJfrNheCCC j8jOUAwpIrAx8KFxDnjuQi884lsqCbXw+MN2MSe143ONh4rK1+UJzZpNaspD8hGuLZto Sk4RTD1zUk3RrlvzwzWEYso2kqZAlssO+PwWlAl3xTDNufEMoxH3F0OAQ9omhL9DF6gy etYBGUq8lE/6C5qduu74/VwltQaLaYXJZoRpz7y+oJSTTF4IIDN2EWChCNH/nlX7VvUP w0q7twMrQkiH3EbjZ8IKhv/s9sQzvpMpFMP2DpNsJ9gNPC0JHy6NHkL7qyfvrb2VimVx +pSQ== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=yycOZ7Zf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y16si5332107eju.393.2021.01.29.09.18.51; Fri, 29 Jan 2021 09:18:57 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=yycOZ7Zf; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231526AbhA2RSU (ORCPT + 16 others); Fri, 29 Jan 2021 12:18:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232433AbhA2RQK (ORCPT ); Fri, 29 Jan 2021 12:16:10 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52332C06178A for ; Fri, 29 Jan 2021 09:15:13 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 18C74ECF5 for ; Sat, 30 Jan 2021 04:15:10 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611940510; bh=c54XRgI3YSoDo9Bvu6FeMy5IstW92Uo/cvGkt/CPla0=; l=8072; h=Date:From:To:Subject:From; b=yycOZ7Zf2CGH81q7z22yRenl+AZMjnAMAhbH5wZU1HbD4INXWVxEiRRdKbzBOjdQs lFn6Qg8u94auN1sjYNnVmaHN7rI4A8zrF/KWd2PAizcIbfPuu+OIj970vOJ3Od4pNf tuqUwEgNOXIFJfK50v94XWrF8GB1pk1zUrg26Zho= Received: by xev.coker.com.au (Postfix, from userid 1001) id A530C13453C0; Sat, 30 Jan 2021 04:15:04 +1100 (AEDT) Date: Sat, 30 Jan 2021 04:15:04 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] type transition rules for Debian installations Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch has named type transition rules for the creation of directories without specifying the type, hopefully these will be removed at some future time when the package maintainer does things differently, but that won't happen soon. Signed-off-by: Russell Coker Index: refpolicy-2.20210129/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20210129/policy/modules/system/authlogin.if @@ -713,13 +713,18 @@ interface(`auth_manage_shadow',` ## Domain allowed access. ## ## +## +## +## The name of the object being created. +## +## # interface(`auth_etc_filetrans_shadow',` gen_require(` type shadow_t; ') - files_etc_filetrans($1, shadow_t, file) + files_etc_filetrans($1, shadow_t, file, $2) ') ####################################### Index: refpolicy-2.20210129/policy/modules/admin/dpkg.te =================================================================== --- refpolicy-2.20210129.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20210129/policy/modules/admin/dpkg.te @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") auth_manage_shadow(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) @@ -307,10 +308,20 @@ optional_policy(` ') optional_policy(` + aptcacher_create_cache_dir(dpkg_script_t) + aptcacher_create_conf_dir(dpkg_script_t) + aptcacher_create_log_dir(dpkg_script_t) +') + +optional_policy(` bootloader_run(dpkg_script_t, dpkg_roles) ') optional_policy(` + clamav_create_freshclam_log(dpkg_script_t) +') + +optional_policy(` devicekit_dbus_chat_power(dpkg_script_t) ') @@ -327,6 +338,11 @@ optional_policy(` ') optional_policy(` + mysql_create_db_dir(dpkg_script_t) + mysql_create_log_dir(dpkg_script_t) +') + +optional_policy(` nis_use_ypbind(dpkg_script_t) ') Index: refpolicy-2.20210129/policy/modules/services/mysql.fc =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/mysql.fc +++ refpolicy-2.20210129/policy/modules/services/mysql.fc @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) Index: refpolicy-2.20210129/policy/modules/services/mysql.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/mysql.if +++ refpolicy-2.20210129/policy/modules/services/mysql.if @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',` ######################################## ## +## create mysqld db dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_db_dir',` + gen_require(` + type mysqld_db_t; + ') + + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") +') + +######################################## +## ## Create, read, write, and delete ## mysqld home files. ## @@ -325,9 +343,29 @@ interface(`mysql_write_log',` ') logging_search_logs($1) + allow $1 mysqld_log_t:dir search_dir_perms; allow $1 mysqld_log_t:file write_file_perms; ') +######################################## +## +## create mysqld log dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_log_dir',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + logging_log_filetrans($1, mysqld_log_t, dir, "mysql") +') + ###################################### ## ## Execute mysqld safe in the Index: refpolicy-2.20210129/policy/modules/services/clamav.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/clamav.if +++ refpolicy-2.20210129/policy/modules/services/clamav.if @@ -430,3 +430,21 @@ interface(`clamav_admin',` files_list_tmp($1) admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ') + +######################################## +## +## specified domain creates /var/log/clamav/freshclam.log with correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_create_freshclam_log',` + gen_require(` + type clamd_var_log_t, freshclam_var_log_t; + ') + + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") +') Index: refpolicy-2.20210129/policy/modules/services/aptcacher.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/aptcacher.if +++ refpolicy-2.20210129/policy/modules/services/aptcacher.if @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` files_search_runtime($1) stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) ') + +######################################## +## +## create /var/log/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_log_dir',` + gen_require(` + type aptcacher_log_t; + ') + + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /var/cache/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_cache_dir',` + gen_require(` + type aptcacher_cache_t; + ') + + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /etc/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_conf_dir',` + gen_require(` + type aptcacher_conf_t; + ') + + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") +') Index: refpolicy-2.20210129/policy/modules/services/ftp.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/ftp.if +++ refpolicy-2.20210129/policy/modules/services/ftp.if @@ -189,3 +189,21 @@ interface(`ftp_admin',` ftp_run_ftpdctl($1, $2) ') + +######################################## +## +## create /run/pure-ftpd +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_create_pure_ftpd_runtime',` + gen_require(` + type ftpd_runtime_t; + ') + + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") +') Index: refpolicy-2.20210129/policy/modules/system/init.te =================================================================== --- refpolicy-2.20210129.orig/policy/modules/system/init.te +++ refpolicy-2.20210129/policy/modules/system/init.te @@ -1287,6 +1287,10 @@ optional_policy(` ') optional_policy(` + ftp_create_pure_ftpd_runtime(initrc_t) +') + +optional_policy(` rpc_read_exports(initrc_t) ')