Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp568859pxb; Tue, 2 Feb 2021 11:58:03 -0800 (PST) X-Google-Smtp-Source: ABdhPJxXgXJPk3s3uNBgzSj4/aUBnzHRpQD3zG9DVDVE5J/R+VbT9G87ENMIa46JqETtp2K+0xGY X-Received: by 2002:a17:906:7b8d:: with SMTP id s13mr23660974ejo.479.1612295883355; Tue, 02 Feb 2021 11:58:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612295883; cv=none; d=google.com; s=arc-20160816; b=GHSb4xGOGpJyq4g7N6r2HVEq7LsomESOtcYFdBOjhcuT30vefBCBO8kld818m7muaS UwfyY5opnunHbAHMBgENtLOaOSpsr9zMPIuyT2dC4+ttx9XJfK2HQBp47QdW9tjNgOzK A/6J5but2rlQ84JvmUCHF4RWtTDQ9MQvJVeFPBgnfwa9Rcp7aiV4EZkDqoQEvk9/i5aL uvVUTslgE3QIR1SFqrmiXv3hKybMI9Pvt5+n0M+X35p0ZQxkRuvXUSb3SMO715M5EoHt HcIMgLDSeDOI+/kQVytImbrzaM4lvCv/+Fcc5q6o+4wYjIAV2lGC5MUWlA62rcT2tEYa 2p9A== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:content-language :in-reply-to:mime-version:user-agent:date:message-id:from:references :to:subject:dkim-signature; bh=6HeMPfQ33tnpbaK6bqGdNlRk8rqzbOTyaFgmApvebJM=; b=kh0UkYRlgkp4g96GzOvJ2+fMkFwin2+/51t8m6oRvDCzPf4GVfBnOMueVRvpeZ2Mie XbIsuWt3QLIuvFrN/yN2IhElrCXuKgCTugpQ9dPPPKqkUMvynfx3rYghsNL5K/O1VLuE 4QM9aNF/Ct4/oYAygT1ufrrhknt0qY+YULHFbTIzvhZWlSK4p5DoROZgnVJX1Db8Puvb iNF6qhsPyMTx/qUx6NZttdcCYp9xoYpzawCMjBNUjOSy4AiTBWS3GTwZKwz7sWB+mFDB O7iw1P8dI5qb+UyXuOvXcUkknbC++cLWTYKXYi16ynwmYD1KBaxD5aQiG4OkKpEgERK2 0lfw== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=LD6LummF; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id r9si12759381eji.723.2021.02.02.11.57.57; Tue, 02 Feb 2021 11:58:03 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=LD6LummF; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S233068AbhBBT4a (ORCPT + 16 others); Tue, 2 Feb 2021 14:56:30 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:47080 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S233062AbhBBNuq (ORCPT ); Tue, 2 Feb 2021 08:50:46 -0500 Received: from mail-qk1-x72c.google.com (mail-qk1-x72c.google.com [IPv6:2607:f8b0:4864:20::72c]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 1C775C0613D6 for ; Tue, 2 Feb 2021 05:49:11 -0800 (PST) Received: by mail-qk1-x72c.google.com with SMTP id a7so19741636qkb.13 for ; Tue, 02 Feb 2021 05:49:11 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=6HeMPfQ33tnpbaK6bqGdNlRk8rqzbOTyaFgmApvebJM=; b=LD6LummFG0YAsHLdPLOt9dOupXOJJXJjP5/Z0ngZ7Pzv0y9NxgdVrtsa9cpu7R0K9c z1vUphtk0VFqFeH04+KOQNd2SxhGd0XDIhMM7kMpR0kRQJYXamWTdz3kSKujetNcsfOw ho4GAKwMnJ5B0NqRZzwXtOibRr4Lm8mBJ9a4Y= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=6HeMPfQ33tnpbaK6bqGdNlRk8rqzbOTyaFgmApvebJM=; b=eg3uWK+BtGqDG5XZSYz7of2H9J87qCNhDsdMCuCq38WlGqvnym5s+Dptgty3RMgbnI qIOFm8erX9e74FOMKiQlBskg5nDByOhtH/pdaXVgYjgxDeZi+9I4BFthdnevA+m+bu+l 8CIaTPX0o0ylHpWtsM/I4cxUQgpwnMtIXVNAydZ03wbwFCHXerQ84901KwwD7M8d9Rsi Ftm+ad8o+gH6skIXhG5luqqi42RB+55a3I9C1zD4zrC4b6n301FNFrnJfJPrFL/2Y8VU XfcCcAgVa25NJHzCHgyRr+vPZKN22+UlAPR18VyJiE5Ua6tKskdE3FTSE/A3TjB2IURK 0TAA== X-Gm-Message-State: AOAM5332oh8omKBKB4w034w/I9o4MZKBeNTRm87O4Q46A+yXtuQlHcf5 mdBBlBcspOEswFzsdctNwiIXwLaE3mkutQ== X-Received: by 2002:a37:5905:: with SMTP id n5mr5943122qkb.191.1612273749980; Tue, 02 Feb 2021 05:49:09 -0800 (PST) Received: from fedora.pebenito.net (pool-96-234-173-17.bltmmd.fios.verizon.net. [96.234.173.17]) by smtp.gmail.com with ESMTPSA id d1sm9686783qtn.30.2021.02.02.05.49.08 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 02 Feb 2021 05:49:08 -0800 (PST) Subject: Re: [PATCH] new version of filetrans patch To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito Message-ID: <983ff6fa-2bbc-22f1-a72c-a4eb38127f09@ieee.org> Date: Tue, 2 Feb 2021 08:49:07 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Thunderbird/78.6.1 MIME-Version: 1.0 In-Reply-To: Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/31/21 11:57 PM, Russell Coker wrote: > Name changes suggested by Dominick and some more additions. > > Signed-off-by: Russell Coker Merged, though I renamed some interfaces and dropped a block that didn't apply since it's so close to the merge window closing. > Index: refpolicy-2.20210130/policy/modules/system/authlogin.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if > +++ refpolicy-2.20210130/policy/modules/system/authlogin.if > @@ -713,13 +713,18 @@ interface(`auth_manage_shadow',` > ## Domain allowed access. > ## > ## > +## > +## > +## The name of the object being created. > +## > +## > # > interface(`auth_etc_filetrans_shadow',` > gen_require(` > type shadow_t; > ') > > - files_etc_filetrans($1, shadow_t, file) > + files_etc_filetrans($1, shadow_t, file, $2) > ') > > ####################################### > Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te > +++ refpolicy-2.20210130/policy/modules/admin/dpkg.te > @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) > > files_manage_non_auth_files(dpkg_script_t) > > +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") > auth_manage_shadow(dpkg_script_t) > > init_all_labeled_script_domtrans(dpkg_script_t) > @@ -307,10 +308,20 @@ optional_policy(` > ') > > optional_policy(` > + aptcacher_filetrans_cache_dir(dpkg_script_t) > + aptcacher_filetrans_conf_dir(dpkg_script_t) > + aptcacher_filetrans_log_dir(dpkg_script_t) > +') > + > +optional_policy(` > bootloader_run(dpkg_script_t, dpkg_roles) > ') > > optional_policy(` > + clamav_filetrans_log(dpkg_script_t) > +') > + > +optional_policy(` > devicekit_dbus_chat_power(dpkg_script_t) > ') > > @@ -319,6 +330,10 @@ optional_policy(` > ') > > optional_policy(` > + milter_filetrans_spamass_state(dpkg_script_t) > +') > + > +optional_policy(` > modutils_run(dpkg_script_t, dpkg_roles) > ') > > @@ -327,6 +342,11 @@ optional_policy(` > ') > > optional_policy(` > + mysql_create_db_dir(dpkg_script_t) > + mysql_create_log_dir(dpkg_script_t) > +') > + > +optional_policy(` > nis_use_ypbind(dpkg_script_t) > ') > > Index: refpolicy-2.20210130/policy/modules/services/mysql.fc > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc > +++ refpolicy-2.20210130/policy/modules/services/mysql.fc > @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system > /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) > /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) > > -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) > -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) > +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) > +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) > > /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) > /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) > Index: refpolicy-2.20210130/policy/modules/services/mysql.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/mysql.if > +++ refpolicy-2.20210130/policy/modules/services/mysql.if > @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',` > > ######################################## > ## > +## create mysqld db dir. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mysql_create_db_dir',` > + gen_require(` > + type mysqld_db_t; > + ') > + > + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") > +') > + > +######################################## > +## > ## Create, read, write, and delete > ## mysqld home files. > ## > @@ -325,9 +343,29 @@ interface(`mysql_write_log',` > ') > > logging_search_logs($1) > + allow $1 mysqld_log_t:dir search_dir_perms; > allow $1 mysqld_log_t:file write_file_perms; > ') > > +######################################## > +## > +## create mysqld log dir. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mysql_create_log_dir',` > + gen_require(` > + type mysqld_log_t; > + ') > + > + logging_search_logs($1) > + logging_log_filetrans($1, mysqld_log_t, dir, "mysql") > +') > + > ###################################### > ## > ## Execute mysqld safe in the > Index: refpolicy-2.20210130/policy/modules/services/clamav.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/clamav.if > +++ refpolicy-2.20210130/policy/modules/services/clamav.if > @@ -430,3 +430,39 @@ interface(`clamav_admin',` > files_list_tmp($1) > admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) > ') > + > +######################################## > +## > +## specified domain creates /var/log/clamav/freshclam.log with correct type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`clamav_filetrans_log',` > + gen_require(` > + type clamd_var_log_t, freshclam_var_log_t; > + ') > + > + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") > +') > + > +######################################## > +## > +## specified domain creates /run/clamav with correct type > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`clamav_filetrans_runtime_dir',` > + gen_require(` > + type clamd_runtime_t; > + ') > + > + files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav") > +') > Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if > +++ refpolicy-2.20210130/policy/modules/services/aptcacher.if > @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` > files_search_runtime($1) > stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) > ') > + > +######################################## > +## > +## create /var/log/apt-cacher-ng > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`aptcacher_filetrans_log_dir',` > + gen_require(` > + type aptcacher_log_t; > + ') > + > + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") > +') > + > +######################################## > +## > +## create /var/cache/apt-cacher-ng > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`aptcacher_filetrans_cache_dir',` > + gen_require(` > + type aptcacher_cache_t; > + ') > + > + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") > +') > + > +######################################## > +## > +## create /etc/apt-cacher-ng > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`aptcacher_filetrans_conf_dir',` > + gen_require(` > + type aptcacher_conf_t; > + ') > + > + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") > +') > Index: refpolicy-2.20210130/policy/modules/services/ftp.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/ftp.if > +++ refpolicy-2.20210130/policy/modules/services/ftp.if > @@ -189,3 +189,21 @@ interface(`ftp_admin',` > > ftp_run_ftpdctl($1, $2) > ') > + > +######################################## > +## > +## create /run/pure-ftpd > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`ftp_filetrans_pure_ftpd_runtime',` > + gen_require(` > + type ftpd_runtime_t; > + ') > + > + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") > +') > Index: refpolicy-2.20210130/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/system/init.te > +++ refpolicy-2.20210130/policy/modules/system/init.te > @@ -1094,6 +1094,7 @@ optional_policy(` > ') > > optional_policy(` > + clamav_filetrans_runtime_dir(initrc_t) > clamav_read_config(initrc_t) > ') > > @@ -1287,6 +1288,10 @@ optional_policy(` > ') > > optional_policy(` > + ftp_filetrans_pure_ftpd_runtime(initrc_t) > +') > + > +optional_policy(` > rpc_read_exports(initrc_t) > ') > > Index: refpolicy-2.20210130/policy/modules/services/milter.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/services/milter.if > +++ refpolicy-2.20210130/policy/modules/services/milter.if > @@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state', > > ######################################## > ## > +## create spamass milter state dir > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`milter_filetrans_spamass_state',` > + gen_require(` > + type spamass_milter_state_t; > + ') > + > + files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter") > +') > + > +######################################## > +## > ## Get the attributes of the spamassissin milter data dir. > ## > ## > Index: refpolicy-2.20210130/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20210130/policy/modules/system/unconfined.te > @@ -67,6 +67,7 @@ ifdef(`init_systemd',` > > optional_policy(` > systemd_dbus_chat_resolved(unconfined_t) > + systemd_filetrans_passwd_runtime_dirs(unconfined_t) > ') > ') > > Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20210130/policy/modules/roles/sysadm.te > @@ -99,6 +99,7 @@ ifdef(`init_systemd',` > # LookupDynamicUserByUID on org.freedesktop.systemd1. > init_dbus_chat(sysadm_t) > > + systemd_run_passwd_agent(sysadm_t, sysadm_r) > systemd_watch_passwd_runtime_dirs(sysadm_t) > ') > > Index: refpolicy-2.20210130/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20210130.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20210130/policy/modules/system/systemd.if > @@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds' > allow systemd_passwd_agent_t $1:fd use; > ') > > +######################################## > +## > +## allow systemd_passwd_agent to be run by admin > +## > +## > +## > +## Domain that runs it > +## > +## > +## > +## > +## role that it runs in > +## > +## > +# > +interface(`systemd_run_passwd_agent',` > + gen_require(` > + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t; > + ') > + > + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t) > + allow systemd_passwd_agent_t $1:fd use; > + role $2 types systemd_passwd_agent_t; > +') > + > ####################################### > ## > ## Allow a systemd_passwd_agent_t process to interact with a daemon > -- Chris PeBenito