2021-01-21 13:55:18

by Russell Coker

[permalink] [raw]
Subject: [PATCH] misc services patches with changes Dominick wanted

This patch has some changes Dominick wanted and some parts that he disliked
removed. The one place where I didn't make his change I gave less access than
he recommended.

I think this is ready for merging.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)

ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -144,7 +146,7 @@ ifdef(`distro_suse',`
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -170,6 +172,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)

/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -178,6 +181,7 @@ ifdef(`distro_suse',`
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)

Index: refpolicy-2.20210120/policy/modules/services/apache.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.if
+++ refpolicy-2.20210120/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`

manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`

tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_t httpd_$1_content_t:file map;
+ allow httpd_t httpd_$1_rw_content_t:file map;
')
')

@@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')

@@ -1132,6 +1136,24 @@ interface(`apache_append_squirrelmail_da
')

########################################
+## <summary>
+## delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+ gen_require(`
+ type squirrelmail_spool_t;
+ ')
+
+ delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
+')
+
+########################################
## <summary>
## Search httpd system content.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210120/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;

allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
allow httpd_t httpd_htaccess_type:file read_file_perms;

allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;

allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;

allow httpd_t httpd_suexec_exec_t:file read_file_perms;

@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process

manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_

manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })

@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)

kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)

domain_use_interactive_fds(httpd_t)

@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)

fs_read_anon_inodefs_files(httpd_t)
fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)

files_dontaudit_getattr_all_runtime_files(httpd_t)
files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)

auth_use_nsswitch(httpd_t)

@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)

allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
+ allow httpd_t httpdcontent:file { map read_file_perms };
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;

allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http

manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -903,6 +913,7 @@ optional_policy(`
#

read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;

append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@

/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)

-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)

+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)

+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)

/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)

+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_

auth_use_nsswitch(aptcacher_t)

+files_read_etc_files(aptcacher_t)
+
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)

Index: refpolicy-2.20210120/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210120/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)

files_read_etc_runtime_files(named_t)
files_read_usr_files(named_t)
+files_map_usr_files(named_t)

fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
Index: refpolicy-2.20210120/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210120/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;

+can_exec(colord_t, colord_exec_t)
+
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -128,6 +130,10 @@ optional_policy(`
')

optional_policy(`
+ snmp_read_snmp_var_lib_files(colord_t)
+')
+
+optional_policy(`
sysnet_exec_ifconfig(colord_t)
')

@@ -136,6 +142,10 @@ optional_policy(`
')

optional_policy(`
+ unconfined_dbus_send(colord_t)
+')
+
+optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
')
Index: refpolicy-2.20210120/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210120/policy/modules/services/cron.te
@@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)

+backup_manage_store_files(system_cronjob_t)
+
auth_manage_var_auth(crond_t)
auth_use_pam(crond_t)

@@ -340,6 +342,11 @@ ifdef(`distro_debian',`
')

optional_policy(`
+ aptcacher_read_config(system_cronjob_t)
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -435,6 +442,7 @@ optional_policy(`
init_dbus_chat(crond_t)
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
@@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)

dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
@@ -587,6 +596,7 @@ optional_policy(`
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
+ apache_delete_squirrelmail_spool(system_cronjob_t)
')

optional_policy(`
@@ -659,6 +669,8 @@ optional_policy(`

optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_status(system_cronjob_t)
+ spamassassin_reload(system_cronjob_t)
')

optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210120/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`

allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket { accept listen };
@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)

libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)

logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210120/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)

+mount_rw_runtime_files(devicekit_disk_t)
+
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)

Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
+++ refpolicy-2.20210120/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)

fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)

domain_use_interactive_fds(entropyd_t)

Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)

kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)

corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)

logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)

miscfiles_read_localization(fail2ban_t)
Index: refpolicy-2.20210120/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20210120/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
# usr for lua modules
files_read_usr_files(jabberd_t)

+files_search_var_lib(jabberd_t)
+
fs_search_auto_mountpoints(jabberd_t)

+miscfiles_read_generic_tls_privkey(jabberd_t)
miscfiles_read_all_certs(jabberd_t)

sysnet_read_config(jabberd_t)
Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
+++ refpolicy-2.20210120/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;

read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)

Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -150,6 +150,10 @@ optional_policy(`
bind_read_zone(mon_net_test_t)
')

+optional_policy(`
+ mysql_stream_connect(mon_net_test_t)
+')
+
########################################
#
# Local policy
@@ -159,7 +163,8 @@ optional_policy(`
# try not to use dontaudit rules for this
#

-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;

Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210120/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)

/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210120/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
# Local policy
#

-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept

manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })

@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l

manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })

manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)

corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)

fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)

files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)

logging_send_syslog_msg(mysqld_t)

+miscfiles_read_generic_certs(mysqld_t)
miscfiles_read_localization(mysqld_t)

userdom_search_user_home_dirs(mysqld_t)
Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210120/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)

auth_use_pam(openvpn_t)

+init_read_state(openvpn_t)
+
miscfiles_read_localization(openvpn_t)
miscfiles_read_all_certs(openvpn_t)

@@ -163,6 +165,10 @@ optional_policy(`
')

optional_policy(`
+ dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)

@@ -174,3 +180,7 @@ optional_policy(`
optional_policy(`
systemd_use_passwd_agent(openvpn_t)
')
+
+optional_policy(`
+ unconfined_use_fds(openvpn_t)
+')
Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
+++ refpolicy-2.20210120/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)

manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)

manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210120/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir

kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
# kernel_mounton_proc(nfsd_t)
Index: refpolicy-2.20210120/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210120/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)

allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;

allow samba_net_t samba_etc_t:file read_file_perms;

+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)

@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n

manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")

@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {

manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,

manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })

@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)

stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;

kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -480,6 +487,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_system_bus_client(smbd_t)
+')
+
+optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
')
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { a

manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })

@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)

manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal

allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)

manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)

Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210120/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#

-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210120/policy/modules/services/squid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/squid.te
+++ refpolicy-2.20210120/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket { accept connectto listen };
allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket create_socket_perms;

manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })

manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)

manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/tor.te
+++ refpolicy-2.20210120/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)

corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20210120/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)

logging_send_syslog_msg(watchdog_t)

+mcs_killall(watchdog_t)
+
miscfiles_read_localization(watchdog_t)

sysnet_dns_name_resolve(watchdog_t)
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'

rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
xdg_search_cache_dirs($1)
')


2021-01-26 06:01:38

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] misc services patches with changes Dominick wanted

On 1/21/21 8:46 AM, Russell Coker wrote:
> This patch has some changes Dominick wanted and some parts that he disliked
> removed. The one place where I didn't make his change I gave less access than
> he recommended.
>
> I think this is ready for merging.
>
> Signed-off-by: Russell Coker <[email protected]>

I think I'm ok with the changes, though I have a couple questions/comments:


> Index: refpolicy-2.20210120/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210120/policy/modules/services/apache.fc
> @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)

I can fix this when merging, but please keep the fc entries in order.


> @@ -71,6 +71,7 @@ template(`apache_content_template',`
>
> manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> + allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)

There's a lot of mmapping being added. Can you provide any additional context
on this? Is this induced by some config option? Is this apache only?


> @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> files_search_runtime($1)
> stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
> ')
> +
> +######################################
> +## <summary>
> +## read aptcacher config
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to read it.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_read_config',`
> + gen_require(`
> + type aptcacher_etc_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 aptcacher_etc_t:dir list_dir_perms;
> + allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> +')

Is this the only useful way to read these files? There's no valid non-mmap
access? If regular read can be useful, then this should be
aptcatch_mmap_read_config().



> @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
>
> libs_read_lib_files(cupsd_t)
> libs_exec_lib_files(cupsd_t)
> +libs_legacy_use_ld_so(cupsd_t)

This seems broken and should probably be in a debian distro block.



--
Chris PeBenito

2021-01-27 07:47:47

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] misc services patches with changes Dominick wanted

On Tuesday, 26 January 2021 1:22:22 AM AEDT Chris PeBenito wrote:
> > gs_exec_t,s0)
> > /usr/sbin/suexec --
gen_context(system_u:object_r:httpd_suexec_exec
> > _t,s0)
> > /usr/sbin/wigwam --
gen_context(system_u:object_r:httpd_exec_t,s0)>
> > +/usr/sbin/php.*-fpm --
gen_context(system_u:object_r:httpd_exec_t,s0)
> > +/usr/sbin/php-fpm[^/]+ --
gen_context(system_u:object_r:httpd_exec_t,
> > s0)
> I can fix this when merging, but please keep the fc entries in order.

OK, I'll do that in the next version.

> > @@ -71,6 +71,7 @@ template(`apache_content_template',`
> >
> > manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> > httpd_$1_rw_content_t) manage_files_pattern(httpd_$1_script_t,
> > httpd_$1_rw_content_t, httpd_$1_rw_content_t)>
> > + allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> >
> > manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> > httpd_$1_rw_content_t) manage_fifo_files_pattern(httpd_$1_script_t,
> > httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> > manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t,
> > httpd_$1_rw_content_t)
> There's a lot of mmapping being added. Can you provide any additional
> context on this? Is this induced by some config option? Is this apache
> only?

It's for Apache, it maps all files it sends with no special configuration.

> > @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> >
> > files_search_runtime($1)
> > stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t,
> > aptcacher_t)>
> > ')
> >
> > +
> > +######################################
> > +## <summary>
> > +## read aptcacher config
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain allowed to read it.
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`aptcacher_read_config',`
> > + gen_require(`
> > + type aptcacher_etc_t;
> > + ')
> > +
> > + files_search_etc($1)
> > + allow $1 aptcacher_etc_t:dir list_dir_perms;
> > + allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> > +')
>
> Is this the only useful way to read these files? There's no valid non-mmap
> access? If regular read can be useful, then this should be
> aptcatch_mmap_read_config().

OK.

> > @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
> >
> > libs_read_lib_files(cupsd_t)
> > libs_exec_lib_files(cupsd_t)
> >
> > +libs_legacy_use_ld_so(cupsd_t)
>
> This seems broken and should probably be in a debian distro block.

OK, I'll remove that and do more testing.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/