More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
-ifndef(`distro_redhat',`
+/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
logging_send_syslog_msg(backup_t)
+miscfiles_read_localization(backup_t)
+
sysnet_read_config(backup_t)
userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
#
allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
+ dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
@@ -269,6 +273,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')
+optional_policy(`
+ unconfined_use_fds(groupadd_t)
+')
+
########################################
#
# Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
#
allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
@@ -560,3 +572,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+
+optional_policy(`
+ unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
userdom_use_user_terminals(syncthing_t)
-optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
+userdom_manage_all_users_keys(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_user_home_content(local_login_t)
Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
allow dhcpc_t dhcp_state_t:file read_file_perms;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
logging_send_syslog_msg(ifconfig_t)
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180701/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
@@ -306,10 +306,6 @@ optional_policy(`
')
optional_policy(`
- lvm_domtrans(udev_t)
-')
-
-optional_policy(`
fstools_domtrans(udev_t)
')
@@ -328,6 +324,10 @@ optional_policy(`
')
optional_policy(`
+ iptables_domtrans(udev_t)
+')
+
+optional_policy(`
lvm_domtrans(udev_t)
')
On 1/4/19 2:35 AM, Russell Coker wrote:
> More tiny patches. Note that this and the other 2 patches I just sent are not
> dependent on each other, please apply any that you like.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
> @@ -1,9 +1,12 @@
> /etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -ifndef(`distro_redhat',`
> +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +
> +ifndef(`distro_redhat',`
> +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
I modified some of these changes, as it results in file context
conflicts with the RPM module. More accurately, I removed the fc
entries in RPM that label the apt executables. I moved the apt-shell
back out of the ifndef block.
I think the synaptic and packagekit fc entries, which are in both apt
and rpm modules, may need to be dropped and move to the distro's
patches. Either that, or this ifndef needs to turn into ifdef debian
(or something else).
Otherwise merged.
> Index: refpolicy-2.20180701/policy/modules/admin/backup.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
> +++ refpolicy-2.20180701/policy/modules/admin/backup.te
> @@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
>
> logging_send_syslog_msg(backup_t)
>
> +miscfiles_read_localization(backup_t)
> +
> sysnet_read_config(backup_t)
>
> userdom_use_user_terminals(backup_t)
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
> @@ -317,6 +317,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + init_dbus_chat(dpkg_script_t)
> +')
> +
> +optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
> fs_getattr_xattr_fs(logrotate_t)
> fs_list_inotifyfs(logrotate_t)
> fs_getattr_tmpfs(logrotate_t)
> +# killall reads nsfs files
> +fs_read_nsfs_files(logrotate_t)
>
> mls_file_read_all_levels(logrotate_t)
> mls_file_write_all_levels(logrotate_t)
> Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
> @@ -189,7 +189,7 @@ optional_policy(`
> #
>
> allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
> -dontaudit groupadd_t self:capability { fsetid sys_tty_config };
> +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
> allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow groupadd_t self:fd use;
> allow groupadd_t self:fifo_file rw_fifo_file_perms;
> @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
> userdom_dontaudit_search_user_home_dirs(groupadd_t)
>
> optional_policy(`
> + dbus_system_bus_client(groupadd_t)
> +')
> +
> +optional_policy(`
> dpkg_use_fds(groupadd_t)
> dpkg_rw_pipes(groupadd_t)
> ')
> @@ -269,6 +273,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + unconfined_use_fds(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> @@ -446,7 +454,7 @@ optional_policy(`
> #
>
> allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
> -dontaudit useradd_t self:capability sys_tty_config;
> +dontaudit useradd_t self:capability { net_admin sys_tty_config };
> allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow useradd_t self:fd use;
> allow useradd_t self:fifo_file rw_fifo_file_perms;
> @@ -538,6 +546,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_system_bus_client(useradd_t)
> +')
> +
> +optional_policy(`
> dpkg_use_fds(useradd_t)
> dpkg_rw_pipes(useradd_t)
> ')
> @@ -560,3 +572,7 @@ optional_policy(`
> rpm_use_fds(useradd_t)
> rpm_rw_pipes(useradd_t)
> ')
> +
> +optional_policy(`
> + unconfined_use_fds(useradd_t)
> +')
> Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
> +++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
> @@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
>
> userdom_use_user_terminals(syncthing_t)
>
> -optional_policy(`
> - # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
> - networkmanager_read_pid_files(syncthing_t)
> -')
> Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> @@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
> @@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
> @@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
> /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20180701/policy/modules/system/locallogin.te
> @@ -34,7 +34,7 @@ role system_r types sulogin_t;
>
> allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> dontaudit local_login_t self:capability net_admin;
> -allow local_login_t self:process { setexec setrlimit setsched };
> +allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
> allow local_login_t self:sock_file read_sock_file_perms;
> @@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
>
> miscfiles_read_localization(local_login_t)
>
> +userdom_manage_all_users_keys(local_login_t)
> userdom_spec_domtrans_all_users(local_login_t)
> userdom_signal_all_users(local_login_t)
> userdom_search_user_home_content(local_login_t)
> Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
> files_dontaudit_read_all_symlinks(setfiles_t)
>
> fs_getattr_all_xattr_fs(setfiles_t)
> +fs_getattr_cgroup(setfiles_t)
> fs_getattr_nfs(setfiles_t)
> fs_getattr_pstore_dirs(setfiles_t)
> fs_getattr_pstorefs(setfiles_t)
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
> allow dhcpc_t dhcp_state_t:file read_file_perms;
> manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
> filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
> +allow dhcpc_t dhcpc_state_t:file map;
>
> # create pid file
> manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
> @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
>
> logging_send_syslog_msg(ifconfig_t)
>
> +# dhclient reads /etc/ssl
> +miscfiles_read_generic_certs(dhcpc_t)
> miscfiles_read_localization(ifconfig_t)
>
> seutil_use_runinit_fds(ifconfig_t)
> Index: refpolicy-2.20180701/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20180701/policy/modules/system/udev.te
> @@ -306,10 +306,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - lvm_domtrans(udev_t)
> -')
> -
> -optional_policy(`
> fstools_domtrans(udev_t)
> ')
>
> @@ -328,6 +324,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + iptables_domtrans(udev_t)
> +')
> +
> +optional_policy(`
> lvm_domtrans(udev_t)
> ')
>
>
--
Chris PeBenito
On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
> > @@ -1,9 +1,12 @@
> > /etc/cron\.daily/apt --
> > gen_context(system_u:object_r:apt_exec_t,s0)
> >
> > -ifndef(`distro_redhat',`
> > +/usr/bin/apt --
> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
> > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
> > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
> > -- gen_context(system_u:object_r:apt_exec_t,s0)
> > +/usr/sbin/update-apt-xapian-index --
> > gen_context(system_u:object_r:apt_exec_t,s0) +
> > +ifndef(`distro_redhat',`
> > +/usr/bin/apt-shell --
> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
> > gen_context(system_u:object_r:apt_exec_t,s0)
> > /usr/lib/packagekit/packagekitd --
> > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
> > gen_context(system_u:object_r:apt_var_cache_t,s0)
> I modified some of these changes, as it results in file context
> conflicts with the RPM module. More accurately, I removed the fc
> entries in RPM that label the apt executables. I moved the apt-shell
> back out of the ifndef block.
>
> I think the synaptic and packagekit fc entries, which are in both apt
> and rpm modules, may need to be dropped and move to the distro's
> patches. Either that, or this ifndef needs to turn into ifdef debian
> (or something else).
>
> Otherwise merged.
I agree that things should be reconsidered with apt policy.
Do we even need separate apt and rpm policy given that both package managers
have access to write everything and change config files?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
Russell Coker <[email protected]> writes:
> On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
>> > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
>> > ===================================================================
>> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
>> > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
>> > @@ -1,9 +1,12 @@
>> > /etc/cron\.daily/apt --
>> > gen_context(system_u:object_r:apt_exec_t,s0)
>> >
>> > -ifndef(`distro_redhat',`
>> > +/usr/bin/apt --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
>> > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
>> > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
>> > -- gen_context(system_u:object_r:apt_exec_t,s0)
>> > +/usr/sbin/update-apt-xapian-index --
>> > gen_context(system_u:object_r:apt_exec_t,s0) +
>> > +ifndef(`distro_redhat',`
>> > +/usr/bin/apt-shell --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
>> > gen_context(system_u:object_r:apt_exec_t,s0)
>> > /usr/lib/packagekit/packagekitd --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
>> > gen_context(system_u:object_r:apt_var_cache_t,s0)
>> I modified some of these changes, as it results in file context
>> conflicts with the RPM module. More accurately, I removed the fc
>> entries in RPM that label the apt executables. I moved the apt-shell
>> back out of the ifndef block.
>>
>> I think the synaptic and packagekit fc entries, which are in both apt
>> and rpm modules, may need to be dropped and move to the distro's
>> patches. Either that, or this ifndef needs to turn into ifdef debian
>> (or something else).
>>
>> Otherwise merged.
>
> I agree that things should be reconsidered with apt policy.
>
> Do we even need separate apt and rpm policy given that both package managers
> have access to write everything and change config files?
AFAIK, apt can probably just be part of the rpm domain. Heck even dpkg
can be. The only thing , i think, that in that case should be taken care of
is to make a typealias rpm_script_t dpkg_script_t because dpkg has
selinux awareness and wants to manually transition to dpkg_script_t to
execute the scriptlets
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
On 1/6/19 2:38 AM, Dominick Grift wrote:
> Russell Coker <[email protected]> writes:
>
>> On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
>>>> Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
>>>> ===================================================================
>>>> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
>>>> +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
>>>> @@ -1,9 +1,12 @@
>>>> /etc/cron\.daily/apt --
>>>> gen_context(system_u:object_r:apt_exec_t,s0)
>>>>
>>>> -ifndef(`distro_redhat',`
>>>> +/usr/bin/apt --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
>>>> -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
>>>> -- gen_context(system_u:object_r:apt_exec_t,s0)
>>>> +/usr/sbin/update-apt-xapian-index --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) +
>>>> +ifndef(`distro_redhat',`
>>>> +/usr/bin/apt-shell --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
>>>> gen_context(system_u:object_r:apt_exec_t,s0)
>>>> /usr/lib/packagekit/packagekitd --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
>>>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>>> I modified some of these changes, as it results in file context
>>> conflicts with the RPM module. More accurately, I removed the fc
>>> entries in RPM that label the apt executables. I moved the apt-shell
>>> back out of the ifndef block.
>>>
>>> I think the synaptic and packagekit fc entries, which are in both apt
>>> and rpm modules, may need to be dropped and move to the distro's
>>> patches. Either that, or this ifndef needs to turn into ifdef debian
>>> (or something else).
>>>
>>> Otherwise merged.
>>
>> I agree that things should be reconsidered with apt policy.
>>
>> Do we even need separate apt and rpm policy given that both package managers
>> have access to write everything and change config files?
>
> AFAIK, apt can probably just be part of the rpm domain. Heck even dpkg
> can be. The only thing , i think, that in that case should be taken care of
> is to make a typealias rpm_script_t dpkg_script_t because dpkg has
> selinux awareness and wants to manually transition to dpkg_script_t to
> execute the scriptlets
I'd be open to merge the two modules, if they're similar enough. I'd be
nice to compare the two modules more deeply; unfortunately one feature I
haven't reimplemented from setools3 was the type relationship analysis,
which would be perfect for this.
--
Chris PeBenito