This patch has some small interface changes as well as the policy patches to
use the new interfaces.
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
+ allow $1 apt_var_cache_t:file mmap_read_file_perms;
')
########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
- allow $1 apt_var_cache_t:file manage_file_perms;
+ allow $1 apt_var_cache_t:file { manage_file_perms map };
')
########################################
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
allow $1 dpkg_script_tmp_t:file map;
')
+
+########################################
+## <summary>
+## read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/gpm.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
+++ refpolicy-2.20180701/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
')
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
#######################################
## <summary>
+## relabel the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Read and write to the last logins log.
## </summary>
## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
')
########################################
+## <summary>
+## Manage the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ allow $1 lastlog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
+########################################
## <summary>
## Execute pam programs in the pam domain.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
########################################
## <summary>
+## read mdadm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir list_dir_perms;
+ allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mdadm pid files.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+ optional_policy(`
+ # for /etc/resolv.conf symlink
+ networkmanager_read_pid_files($1)
+ ')
ifdef(`init_systemd',`
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
+ dpkg_read_script_tmp_links(kmod_t)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_tmpfs(systemd_tmpfiles_t)
+fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
+auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
fs_mount_fusefs(bootloader_t)
fs_mount_xattr_fs(bootloader_t)
fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
# for apt-cache
apt_read_db(bootloader_t)
- apt_read_cache(bootloader_t)
+ apt_manage_cache(bootloader_t)
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
')
optional_policy(`
+ gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
')
@@ -230,5 +237,9 @@ optional_policy(`
')
optional_policy(`
+ raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
On 1/4/19 2:33 AM, Russell Coker wrote:
> This patch has some small interface changes as well as the policy patches to
> use the new interfaces.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir list_dir_perms;
> - allow $1 apt_var_cache_t:file read_file_perms;
> + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> ')
>
> ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir manage_dir_perms;
> - allow $1 apt_var_cache_t:file manage_file_perms;
> + allow $1 apt_var_cache_t:file { manage_file_perms map };
> ')
I dropped these hunks. In general the map should be a separate
interface, unless you're arguing that in all cases there should be mmaping.
Otherwise the remainder is merged.
> ########################################
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
>
> allow $1 dpkg_script_tmp_t:file map;
> ')
> +
> +########################################
> +## <summary>
> +## read dpkg_script_tmp_t links
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_read_script_tmp_links',`
> + gen_require(`
> + type dpkg_script_tmp_t;
> + ')
> +
> + allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/gpm.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
> +++ refpolicy-2.20180701/policy/modules/services/gpm.if
> @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
> ')
>
> dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
> + dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> ')
>
> ########################################
> +## <summary>
> +## Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + allow $1 lastlog_t:file manage_file_perms;
> + logging_rw_generic_log_dirs($1)
> +')
> +
> +########################################
> ## <summary>
> ## Execute pam programs in the pam domain.
> ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/raid.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/raid.if
> +++ refpolicy-2.20180701/policy/modules/system/raid.if
> @@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
>
> ########################################
> ## <summary>
> +## read mdadm pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`raid_read_mdadm_pid',`
> + gen_require(`
> + type mdadm_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 mdadm_var_run_t:dir list_dir_perms;
> + allow $1 mdadm_var_run_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## mdadm pid files.
> ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
> optional_policy(`
> nscd_use($1)
> ')
> + optional_policy(`
> + # for /etc/resolv.conf symlink
> + networkmanager_read_pid_files($1)
> + ')
>
> ifdef(`init_systemd',`
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -136,6 +136,7 @@ optional_policy(`
> # for postinst of a new kernel package
> dpkg_manage_script_tmp_files(kmod_t)
> dpkg_map_script_tmp_files(kmod_t)
> + dpkg_read_script_tmp_links(kmod_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
> # for /etc/mtab
> files_manage_etc_symlinks(systemd_tmpfiles_t)
>
> +fs_getattr_tmpfs(systemd_tmpfiles_t)
> +fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
> fs_getattr_xattr_fs(systemd_tmpfiles_t)
>
> selinux_get_fs_mount(systemd_tmpfiles_t)
> selinux_search_fs(systemd_tmpfiles_t)
>
> +auth_append_lastlog(systemd_tmpfiles_t)
> auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_lastlog(systemd_tmpfiles_t)
> auth_manage_login_records(systemd_tmpfiles_t)
> auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_lastlog(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
> @@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
> mls_file_write_all_levels(bootloader_t)
>
> term_getattr_all_ttys(bootloader_t)
> +term_getattr_generic_ptys(bootloader_t)
> term_dontaudit_manage_pty_dirs(bootloader_t)
>
> corecmd_exec_all_executables(bootloader_t)
> @@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
> domain_use_interactive_fds(bootloader_t)
>
> files_create_boot_dirs(bootloader_t)
> +files_getattr_default_dirs(bootloader_t)
> files_manage_boot_files(bootloader_t)
> files_manage_boot_symlinks(bootloader_t)
> files_read_etc_files(bootloader_t)
> @@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
> files_etc_filetrans_etc_runtime(bootloader_t, file)
> files_dontaudit_search_home(bootloader_t)
>
> +fs_list_hugetlbfs(bootloader_t)
> fs_mount_fusefs(bootloader_t)
> fs_mount_xattr_fs(bootloader_t)
> fs_mounton_fusefs(bootloader_t)
> @@ -172,7 +175,7 @@ ifdef(`distro_debian',`
>
> # for apt-cache
> apt_read_db(bootloader_t)
> - apt_read_cache(bootloader_t)
> + apt_manage_cache(bootloader_t)
>
> dpkg_read_db(bootloader_t)
> dpkg_rw_pipes(bootloader_t)
> @@ -204,6 +207,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gpm_getattr_gpmctl(bootloader_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_append_lib_files(bootloader_t)
> hal_write_log(bootloader_t)
> ')
> @@ -230,5 +237,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + raid_read_mdadm_pid(bootloader_t)
> +')
> +
> +optional_policy(`
> rpm_rw_pipes(bootloader_t)
> ')
>
--
Chris PeBenito
On Sunday, 6 January 2019 5:39:37 AM AEDT Chris PeBenito wrote:
> On 1/4/19 2:33 AM, Russell Coker wrote:
> > This patch has some small interface changes as well as the policy patches
> > to use the new interfaces.
> >
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> > @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir list_dir_perms;
> > - allow $1 apt_var_cache_t:file read_file_perms;
> > + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> > ')
> >
> > ########################################
> > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir manage_dir_perms;
> > - allow $1 apt_var_cache_t:file manage_file_perms;
> > + allow $1 apt_var_cache_t:file { manage_file_perms map };
> > ')
>
> I dropped these hunks. In general the map should be a separate
> interface, unless you're arguing that in all cases there should be mmaping.
>
> Otherwise the remainder is merged.
While it is possible for anyone to write code that manages the apt cache, in
general anything that touches it will do so via apt utilities or shared
objects (usually by executing /usr/bin/apt-cache which has bin_t).
Yes I think that in all cases there should be a mapping because in all likely
cases that will exist (all cases that are known to exist) the same code is
used for accessing those files.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/