Patches for apt unattended upgrades and dbus, logrotate certs and samba,
games_t, mplayer/mencoder, and sysadm_t dbus.
Signed-off-by: Russell Coker <[email protected]>
Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210120/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
ifndef(`distro_redhat',`
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
/var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0)
/var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20210120/policy/modules/admin/apt.te
@@ -155,6 +155,10 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_chat(apt_t)
+')
+
+optional_policy(`
nis_use_ypbind(apt_t)
')
@@ -169,5 +173,9 @@ optional_policy(`
')
optional_policy(`
+ systemd_dbus_chat_logind(apt_t)
+')
+
+optional_policy(`
unconfined_domain(apt_t)
')
Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
+
+ apt_use_fds(bootloader_t)
+ apt_use_ptys(bootloader_t)
')
ifdef(`distro_redhat',`
Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
logging_exec_all_logs(logrotate_t)
+miscfiles_read_generic_certs(logrotate_t)
miscfiles_read_localization(logrotate_t)
seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
')
optional_policy(`
+ samba_domtrans_smbcontrol(logrotate_t)
samba_exec_log(logrotate_t)
')
Index: refpolicy-2.20210120/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210120/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
can_exec(games_t, games_exec_t)
+kernel_read_kernel_sysctls(games_t)
kernel_read_system_state(games_t)
corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
corenet_all_recvfrom_netlabel(games_t)
corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
logging_dontaudit_search_logs(games_t)
+miscfiles_read_generic_certs(games_t)
miscfiles_read_man_pages(games_t)
miscfiles_read_localization(games_t)
@@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
')
optional_policy(`
+ alsa_read_config(games_t)
+')
+
+optional_policy(`
dbus_all_session_bus_client(games_t)
dbus_connect_all_session_bus(games_t)
+ dbus_read_lib_files(games_t)
+ dbus_system_bus_client(games_t)
')
optional_policy(`
@@ -175,6 +184,11 @@ optional_policy(`
')
optional_policy(`
+ xdg_read_config_files(games_t)
+ xdg_read_data_files(games_t)
+')
+
+optional_policy(`
xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
xserver_create_xdm_tmp_sockets(games_t)
xserver_read_xdm_lib_files(games_t)
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
@@ -38,7 +38,7 @@ interface(`mplayer_role',`
domtrans_pattern($2, mencoder_exec_t, mencoder_t)
domtrans_pattern($2, mplayer_exec_t, mplayer_t)
- allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+ allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
ps_process_pattern($2, { mplayer_t mencoder_t })
allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
fs_manage_cifs_symlinks(mencoder_t)
')
+tunable_policy(`xserver_allow_dri',`
+ dev_rw_dri(mplayer_t)
+')
+
########################################
#
# Mplayer local policy
#
-allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:process { signal_perms getsched setsched };
allow mplayer_t self:fifo_file rw_fifo_file_perms;
allow mplayer_t self:sem create_sem_perms;
allow mplayer_t self:udp_socket create_socket_perms;
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
kernel_dontaudit_list_unlabeled(mplayer_t)
kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_crypto_sysctls(mplayer_t)
kernel_read_system_state(mplayer_t)
kernel_read_kernel_sysctls(mplayer_t)
Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
@@ -530,6 +530,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
inn_admin(sysadm_t, sysadm_r)
')
Russell Coker <[email protected]> writes:
> Patches for apt unattended upgrades and dbus, logrotate certs and samba,
> games_t, mplayer/mencoder, and sysadm_t dbus.
>
> Signed-off-by: Russell Coker <[email protected]>
>
> Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210120/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
> /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> ifndef(`distro_redhat',`
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
> /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>
> /var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0)
> /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210120/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(apt_t)
> ')
>
> @@ -169,5 +173,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(apt_t)
> ')
> Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>
> dpkg_read_db(bootloader_t)
> dpkg_rw_pipes(bootloader_t)
> +
> + apt_use_fds(bootloader_t)
> + apt_use_ptys(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
> logging_send_audit_msgs(logrotate_t)
> logging_exec_all_logs(logrotate_t)
>
> +miscfiles_read_generic_certs(logrotate_t)
> miscfiles_read_localization(logrotate_t)
>
> seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samba_domtrans_smbcontrol(logrotate_t)
> samba_exec_log(logrotate_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210120/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>
> can_exec(games_t, games_exec_t)
>
> +kernel_read_kernel_sysctls(games_t)
> kernel_read_system_state(games_t)
>
> corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>
> corenet_all_recvfrom_netlabel(games_t)
> corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>
> logging_dontaudit_search_logs(games_t)
>
> +miscfiles_read_generic_certs(games_t)
> miscfiles_read_man_pages(games_t)
> miscfiles_read_localization(games_t)
>
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
> ')
>
> optional_policy(`
> + alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
> dbus_all_session_bus_client(games_t)
> dbus_connect_all_session_bus(games_t)
> + dbus_read_lib_files(games_t)
> + dbus_system_bus_client(games_t)
> ')
>
> optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xdg_read_config_files(games_t)
> + xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
> xserver_create_xdm_tmp_sockets(games_t)
> xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
> domtrans_pattern($2, mencoder_exec_t, mencoder_t)
> domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>
> - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> + allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
> ps_process_pattern($2, { mplayer_t mencoder_t })
>
> allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
> fs_manage_cifs_symlinks(mencoder_t)
> ')
>
> +tunable_policy(`xserver_allow_dri',`
> + dev_rw_dri(mplayer_t)
> +')
> +
> ########################################
> #
> # Mplayer local policy
> #
>
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
> allow mplayer_t self:fifo_file rw_fifo_file_perms;
> allow mplayer_t self:sem create_sem_perms;
> allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
> kernel_dontaudit_list_unlabeled(mplayer_t)
> kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
> kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
> kernel_read_system_state(mplayer_t)
> kernel_read_kernel_sysctls(mplayer_t)
>
> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
> @@ -530,6 +530,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + init_dbus_chat(sysadm_t)
Can you explain why you added this?
> +')
> +
> +optional_policy(`
> inn_admin(sysadm_t, sysadm_r)
> ')
>
>
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
Russell Coker <[email protected]> writes:
> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > + init_dbus_chat(sysadm_t)
>>
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no. I'll remove that bit
> and add it again with a note if it's necessary. Did you like the rest of that
> patch?
Yes and thats my beef with this. "some program wanted it". sysadm_t is a
shell domain. Any programs that need this should, in my view, ideally be
targeted. If you dont want that then use unconfined_t instead and be
done.
I dont want sysadm_t to become a "drunken unconfined_t".
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
Russell Coker <[email protected]> writes:
> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > + init_dbus_chat(sysadm_t)
>>
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no. I'll remove that bit
> and add it again with a note if it's necessary. Did you like the rest of that
> patch?
Yes, if i didnt add any more comments then i liked the remainder of the
patch. I might have overlooked things though because that was quite a
load you dumped there.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
Dominick Grift <[email protected]> writes:
> Russell Coker <[email protected]> writes:
>
>> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>>> > optional_policy(`
>>> > + init_dbus_chat(sysadm_t)
>>>
>>> Can you explain why you added this?
>>
>> Apart from the obvious that some program wanted it, no. I'll remove that bit
>> and add it again with a note if it's necessary. Did you like the rest of that
>> patch?
>
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
>
> I dont want sysadm_t to become a "drunken unconfined_t".
But also if this was added to support resolving dynamic users with
systemd then this is no longer needed because resolving of dynamic users
with systemd is no longer done with dbus. It is using varlink for that
now.
--
gpg --locate-keys [email protected]
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
> > optional_policy(`
> > + init_dbus_chat(sysadm_t)
>
> Can you explain why you added this?
Apart from the obvious that some program wanted it, no. I'll remove that bit
and add it again with a note if it's necessary. Did you like the rest of that
patch?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On Thursday, 21 January 2021 2:06:25 AM AEDT Dominick Grift wrote:
> >> Can you explain why you added this?
> >
> > Apart from the obvious that some program wanted it, no. I'll remove that
> > bit and add it again with a note if it's necessary. Did you like the
> > rest of that patch?
>
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
>
> I dont want sysadm_t to become a "drunken unconfined_t".
Fair point.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/