Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp3600619pxb; Sun, 31 Jan 2021 22:41:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJxCmZrLDKsfKM9RY2k77LHB1MPre0dh81S2akC5swBEXoA3Fi0UTRTbTeqosyz+wDt2Z3u9 X-Received: by 2002:a17:906:3685:: with SMTP id a5mr15987173ejc.544.1612161663189; Sun, 31 Jan 2021 22:41:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612161663; cv=none; d=google.com; s=arc-20160816; b=f5ChRbzmlGTupNapHz8wQqa5GTrKtsTmvCSE5uT9NdvA7kJ5EAnWit1nJx9BMNk8Ca sFVGf0E+gF6H1UiDYi3fnZXN60JopHbE0Z+emqcds7r0Ql5f6hFLcLf5MZEZmrJsHREg 1DXyiinCTYP9XsFekOuobRoPkw3iyaXQnvo7HiiYByz0rsL2FP80EScfpDX1lGyoPffv Hi/nwpPGdazWadyD+AH2YUZJfi+dxcd/KO2h6INYR8GIjBnyIFspmBCu+WKBkKtSlvxp /F/ysD1LWLNZ5O7FboKR7+8h1Fm0VbFQDfkcYnHmToTQQN1M1GL5WMXr68oShqXvp1Am q+zQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=ks3rIjmS8CAAMufQ222Ux4YDFZktU7XV0+5vp8VKj9U=; b=hV6i3cLbld5f5RU8dhSAb1N9dcNv1fSgS1k87c0/h04LCa95F1KW0A9aqvMcCQHDcU 6BasszBdWrwWydIRty+lVLOqN3w+VDR4CBPtIgO+7vGqgF7QMCd8fHYgJysed2GKzDfY J32bxjeR1PuC6mWR30f0Sleze3UeYmy7w2yRyUwWBqjVpGNADOr4KZA1/rS1w1KsQmIa JatEREFkXc2gaMdUNPM3bBZNSHmUPuRXZZvTo00kT3E8mGkAwvwYADZGnffO5HzLzMGg yoIBmuEsin8zEhOQT1vMJPbgy44lqtm93iPBuCSUTj4ZKSPrgEeTFJt9Yn2NkmdbSJ1/ Y7Lg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=WWlpQByK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id b8si424335edk.237.2021.01.31.22.40.54; Sun, 31 Jan 2021 22:41:03 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=WWlpQByK; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231805AbhBAGjA (ORCPT + 16 others); Mon, 1 Feb 2021 01:39:00 -0500 Received: from smtp.sws.net.au ([46.4.88.250]:34402 "EHLO smtp.sws.net.au" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232145AbhBAGQH (ORCPT ); Mon, 1 Feb 2021 01:16:07 -0500 Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id D5E02EB85 for ; Mon, 1 Feb 2021 17:14:36 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1612160078; bh=ks3rIjmS8CAAMufQ222Ux4YDFZktU7XV0+5vp8VKj9U=; l=11579; h=Date:From:To:Subject:From; b=WWlpQByKY9fGy21FUF9DOI4YZQJSeG2DEnC8mmoUw44YUiDw5/uFAMnOD92XKG1gP MEAn5ngVwG+ZLBp2aG8/gjd7Chw20PAf2UpSrZokRFwAlSun1e7iiUICxyUmVkJOTk 3Q7XSnQ/GUeOxPFTqbjziS7dlQp6ZydgmOkRdObo= Received: by xev.coker.com.au (Postfix, from userid 1001) id D1F03134B8C5; Mon, 1 Feb 2021 15:57:13 +1100 (AEDT) Date: Mon, 1 Feb 2021 15:57:13 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] new version of filetrans patch Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Name changes suggested by Dominick and some more additions. Signed-off-by: Russell Coker Index: refpolicy-2.20210130/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20210130/policy/modules/system/authlogin.if @@ -713,13 +713,18 @@ interface(`auth_manage_shadow',` ## Domain allowed access. ## ## +## +## +## The name of the object being created. +## +## # interface(`auth_etc_filetrans_shadow',` gen_require(` type shadow_t; ') - files_etc_filetrans($1, shadow_t, file) + files_etc_filetrans($1, shadow_t, file, $2) ') ####################################### Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te =================================================================== --- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20210130/policy/modules/admin/dpkg.te @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") auth_manage_shadow(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) @@ -307,10 +308,20 @@ optional_policy(` ') optional_policy(` + aptcacher_filetrans_cache_dir(dpkg_script_t) + aptcacher_filetrans_conf_dir(dpkg_script_t) + aptcacher_filetrans_log_dir(dpkg_script_t) +') + +optional_policy(` bootloader_run(dpkg_script_t, dpkg_roles) ') optional_policy(` + clamav_filetrans_log(dpkg_script_t) +') + +optional_policy(` devicekit_dbus_chat_power(dpkg_script_t) ') @@ -319,6 +330,10 @@ optional_policy(` ') optional_policy(` + milter_filetrans_spamass_state(dpkg_script_t) +') + +optional_policy(` modutils_run(dpkg_script_t, dpkg_roles) ') @@ -327,6 +342,11 @@ optional_policy(` ') optional_policy(` + mysql_create_db_dir(dpkg_script_t) + mysql_create_log_dir(dpkg_script_t) +') + +optional_policy(` nis_use_ypbind(dpkg_script_t) ') Index: refpolicy-2.20210130/policy/modules/services/mysql.fc =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc +++ refpolicy-2.20210130/policy/modules/services/mysql.fc @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) Index: refpolicy-2.20210130/policy/modules/services/mysql.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/mysql.if +++ refpolicy-2.20210130/policy/modules/services/mysql.if @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',` ######################################## ## +## create mysqld db dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_db_dir',` + gen_require(` + type mysqld_db_t; + ') + + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") +') + +######################################## +## ## Create, read, write, and delete ## mysqld home files. ## @@ -325,9 +343,29 @@ interface(`mysql_write_log',` ') logging_search_logs($1) + allow $1 mysqld_log_t:dir search_dir_perms; allow $1 mysqld_log_t:file write_file_perms; ') +######################################## +## +## create mysqld log dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_log_dir',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + logging_log_filetrans($1, mysqld_log_t, dir, "mysql") +') + ###################################### ## ## Execute mysqld safe in the Index: refpolicy-2.20210130/policy/modules/services/clamav.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/clamav.if +++ refpolicy-2.20210130/policy/modules/services/clamav.if @@ -430,3 +430,39 @@ interface(`clamav_admin',` files_list_tmp($1) admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ') + +######################################## +## +## specified domain creates /var/log/clamav/freshclam.log with correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_filetrans_log',` + gen_require(` + type clamd_var_log_t, freshclam_var_log_t; + ') + + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") +') + +######################################## +## +## specified domain creates /run/clamav with correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_filetrans_runtime_dir',` + gen_require(` + type clamd_runtime_t; + ') + + files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav") +') Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if +++ refpolicy-2.20210130/policy/modules/services/aptcacher.if @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` files_search_runtime($1) stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) ') + +######################################## +## +## create /var/log/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_filetrans_log_dir',` + gen_require(` + type aptcacher_log_t; + ') + + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /var/cache/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_filetrans_cache_dir',` + gen_require(` + type aptcacher_cache_t; + ') + + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /etc/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_filetrans_conf_dir',` + gen_require(` + type aptcacher_conf_t; + ') + + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") +') Index: refpolicy-2.20210130/policy/modules/services/ftp.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/ftp.if +++ refpolicy-2.20210130/policy/modules/services/ftp.if @@ -189,3 +189,21 @@ interface(`ftp_admin',` ftp_run_ftpdctl($1, $2) ') + +######################################## +## +## create /run/pure-ftpd +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_filetrans_pure_ftpd_runtime',` + gen_require(` + type ftpd_runtime_t; + ') + + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") +') Index: refpolicy-2.20210130/policy/modules/system/init.te =================================================================== --- refpolicy-2.20210130.orig/policy/modules/system/init.te +++ refpolicy-2.20210130/policy/modules/system/init.te @@ -1094,6 +1094,7 @@ optional_policy(` ') optional_policy(` + clamav_filetrans_runtime_dir(initrc_t) clamav_read_config(initrc_t) ') @@ -1287,6 +1288,10 @@ optional_policy(` ') optional_policy(` + ftp_filetrans_pure_ftpd_runtime(initrc_t) +') + +optional_policy(` rpc_read_exports(initrc_t) ') Index: refpolicy-2.20210130/policy/modules/services/milter.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/services/milter.if +++ refpolicy-2.20210130/policy/modules/services/milter.if @@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state', ######################################## ## +## create spamass milter state dir +## +## +## +## Domain allowed access. +## +## +# +interface(`milter_filetrans_spamass_state',` + gen_require(` + type spamass_milter_state_t; + ') + + files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter") +') + +######################################## +## ## Get the attributes of the spamassissin milter data dir. ## ## Index: refpolicy-2.20210130/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20210130/policy/modules/system/unconfined.te @@ -67,6 +67,7 @@ ifdef(`init_systemd',` optional_policy(` systemd_dbus_chat_resolved(unconfined_t) + systemd_filetrans_passwd_runtime_dirs(unconfined_t) ') ') Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te =================================================================== --- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te +++ refpolicy-2.20210130/policy/modules/roles/sysadm.te @@ -99,6 +99,7 @@ ifdef(`init_systemd',` # LookupDynamicUserByUID on org.freedesktop.systemd1. init_dbus_chat(sysadm_t) + systemd_run_passwd_agent(sysadm_t, sysadm_r) systemd_watch_passwd_runtime_dirs(sysadm_t) ') Index: refpolicy-2.20210130/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20210130.orig/policy/modules/system/systemd.if +++ refpolicy-2.20210130/policy/modules/system/systemd.if @@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds' allow systemd_passwd_agent_t $1:fd use; ') +######################################## +## +## allow systemd_passwd_agent to be run by admin +## +## +## +## Domain that runs it +## +## +## +## +## role that it runs in +## +## +# +interface(`systemd_run_passwd_agent',` + gen_require(` + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; + ') + + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) + allow systemd_passwd_agent_t $1:fd use; + role $2 types systemd_passwd_agent_t; +') + ####################################### ## ## Allow a systemd_passwd_agent_t process to interact with a daemon