Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
+ allow $1 apt_var_cache_t:file mmap_read_file_perms;
')
########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
- allow $1 apt_var_cache_t:file manage_file_perms;
+ allow $1 apt_var_cache_t:file { manage_file_perms map };
')
########################################
Index: refpolicy-2.20180701/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180701/policy/modules/system/systemd.if
@@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
+ ps_process_pattern(systemd_passwd_agent_t, $1)
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
@@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
+#######################################
+## <summary>
+## Allow domain to list dirs under /run/systemd/netif
+## </summary>
+## <param name="domain">
+## <summary>
+## domain permitted the access
+## </summary>
+## </param>
+#
+interface(`systemd_list_netif',`
+ gen_require(`
+ type systemd_networkd_var_run_t;
+ ')
+
+ init_list_pids($1)
+ allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20180701/policy/modules/services/ntp.te
@@ -152,7 +152,7 @@ ifdef(`init_systemd',`
init_list_var_lib_dirs(ntpd_t)
# for /run/systemd/netif/links
- init_list_pids(ntpd_t)
+ systemd_list_netif(ntpd_t)
optional_policy(`
unconfined_dbus_send(ntpd_t)
Index: refpolicy-2.20180701/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180701/policy/modules/system/logging.te
@@ -552,6 +552,8 @@ ifdef(`init_systemd',`
init_dgram_send(syslogd_t)
init_read_pid_pipes(syslogd_t)
init_read_state(syslogd_t)
+ # for /run/systemd/units/invocation:* links
+ init_read_unit_links(syslogd_t)
systemd_manage_journal_files(syslogd_t)
On 1/5/19 9:42 PM, Russell Coker wrote:
> Here are the things that weren't applied from my previous patches, I think they
> are all worthy of inclusion.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir list_dir_perms;
> - allow $1 apt_var_cache_t:file read_file_perms;
> + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> ')
>
> ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir manage_dir_perms;
> - allow $1 apt_var_cache_t:file manage_file_perms;
> + allow $1 apt_var_cache_t:file { manage_file_perms map };
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20180701/policy/modules/system/systemd.if
> @@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
> manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
>
> allow systemd_passwd_agent_t $1:process signull;
> + ps_process_pattern(systemd_passwd_agent_t, $1)
> allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> ')
>
> @@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
>
> getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Allow domain to list dirs under /run/systemd/netif
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain permitted the access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_list_netif',`
I renamed this.
> + gen_require(`
> + type systemd_networkd_var_run_t;
> + ')
> +
> + init_list_pids($1)
> + allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/ntp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
> +++ refpolicy-2.20180701/policy/modules/services/ntp.te
> @@ -152,7 +152,7 @@ ifdef(`init_systemd',`
> init_list_var_lib_dirs(ntpd_t)
>
> # for /run/systemd/netif/links
> - init_list_pids(ntpd_t)
> + systemd_list_netif(ntpd_t)
>
> optional_policy(`
> unconfined_dbus_send(ntpd_t)
> Index: refpolicy-2.20180701/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20180701/policy/modules/system/logging.te
> @@ -552,6 +552,8 @@ ifdef(`init_systemd',`
> init_dgram_send(syslogd_t)
> init_read_pid_pipes(syslogd_t)
> init_read_state(syslogd_t)
> + # for /run/systemd/units/invocation:* links
> + init_read_unit_links(syslogd_t)
>
> systemd_manage_journal_files(syslogd_t)
>
>
See other thread for why I dropped this hunk. Otherwise merged.
--
Chris PeBenito