Hello !
I am trying to resubmit a set of patches to update the git Reference
Policy with permissions needed for usability on a generic recent Linux
installation.
This set of patches has been on RFC for several weeks now. Since then it
has been changed accordingly to the feedback received. In particular,
Dominick Grift has contributed substantially to this effort.
I have tried to add a description to each patch, although sometimes the
single patch is so short and self-explanatory that it is difficult to
comment.
In general each patch adds one or more permissions that appeared lacking
in the Reference Policy after testing it on a generic recent Linux
installation.
There are 34 patches in total. I cannot guarantee that all of them will
apply cleanly in an order different from the one below (because there
might be unavoidable dependencies between some of the patches).
[1/34] update-readahead.patch
This patch adds a new interface init_read_fifo_file() and
uses it so that readahead can read init_t fifo files.
[2/34] update-usermanage.patch
This patch adds some needed permissions for passwd_t in
policy/modules/admin/usermanage.te.
[3/34] update-usermanage-use-pam.patch
This patch allows to use pam instead of nsswitch in
policy/modules/admin/usermanage.te.
[4/34] update-cpufreqselector.patch
This patch adds a new interface to the cpufreqselector module
to allow dbus chat. it then uses such interface to allow dbus chat
with system_dbusd_t and xdm_t. This patch also adds some other
permissions needed to run cpufreqselector.
[5/34] update-policykit-read-xdg-config.patch
This patch labels HOME_DIR/\.config as gnome_home_t and then
allows policykit to read such kind of files.
[6/34] update-mount.patch
This patch adds a new interface for mount. It then uses the new
interface and adds some permissions needed to use mount. It also
adds a conditional block for redhat systems that use a mount script
called /sbin/mount.tmpfs. Finally the patch adds a permission
needed for example by ntfs-3g (storage_rw_fuse).
[7/34] update-kernel-files-fix-typo.patch
This patch fixes a typo in the description of kernel files
interfaces.
[8/34] update-devicekit.patch
This patch adds two new interfaces (one for the kernel and the
other for mount). It then allows dbus chat between dbus and
devicekit and between xdm and devicekit. It then adds some
permissions needed to run devicekit.
[9/34] update-roles-sysadm.patch
This patch adds some permissions (through interface calls) needed
by the sysadm role (in particular logging permissions).
[10/34] update-read-consolekit-pid-files.patch
This patch adds a new interface to the consolekit module so that
pid files can be listed. It then uses such interface so that
consolekit pid files can be listed and read by both dbus and policykit.
[11/34] update-consolekit-shutdown.patch
This patch adds some permissions needed to shutdown the system
using the graphical interface.
[12/34] update-consolekit-dbus-chat.patch
This patch allows dbus chat between consolekit and dbus.
[13/34] update-networkmanager.patch
This patch allows dbus chat between networkmanager and dbus and
between networkmanager and xdm. It also adds a missing permission
(sysnet_read_dhcpc_state) to the networkmanager module.
[14/34] update-avahi-dbus-chat.patch
This patch allows dbus chat between avahi and ntpd and between
avahi and xdm.
[15/34] update-ntp-dbus-chat-and-stream-connect.patch
This patch adds two new interfaces to the ntp module. The first
interface can be used to allow dbus chat and the second interface
allows to connect to dbus using a unix domain stream socket.
Both interfaces are used to allow dbus chat between ntpd and
dbus and to allow ntpd to connect to dbus using a unix domain
stream socket.
[16/34] update-plymouth-getsched.patch
This patch adds a self:process getsched permission for plymouthd_t.
[17/34] update-plymouth-unallocated-ttys.patch
This patch allows plymouthd to use unallocated ttys.
[18/34] update-policykit.patch
This patch adds a file context for the /var/lib/polkit-1 directory.
It then allows policykit to be started from dbus. It also adds
some other permissions needed to run policykit and a new interface
which is used to read xdm files.
[19/34] update-setroubleshoot.patch
This patch adds a new interface to the logging module and uses
such interface (as optional policy) from the setroubleshoot module.
The patch also adds another optional policy block to the setroubleshoot
(so that the locate module can read lib files).
[20/34] update-setroubleshoot-fix-interface-comment.patch
This patch clarifies a comment in the description of one of the
setroubleshoot interfaces.
[21/34] update-smartmon-read-usr-files.patch
This patch adds a permission to the smartmon module so
that it can read usr files.
[22/34] update-xserver.patch
This patch adds an interface to allow dbus chat with
xdm. It then uses such interface to actually allow dbus chat
between dbus and xdm. The patch also allows dbus chat
between hal and xdm, between policykit and xdm and between
setroubleshoot and xdm.
[23/34] update-authlogin.patch
This patch adds some needed permissions to the chkpwd_t domain
in policy/modules/system/authlogin.te.
[24/34] update-init-label-upstart.patch
This patch adds a file context for /sbin/upstart.
[25/34] update-logging-read-system-state.patch
This patch allows the audit dispatcher to read the system
state.
[26/34] update-logging-setroubleshoot-dbus-chat.patch
This patch allows dbus chat between setroubleshoot and the audit
dispatcher.
[27/34] update-sysnetwork-add-new-dhcp-interface.patch
This patch adds a new interface to the sysnetwork module so
that the DHCP client state directories can be searched.
[28/34] update-sysnetwork-hal-read-pid-files.patch
This patch allows to read hal pid files from the ifconfig_t
context.
[29/34] update-dbus-sys-ptrace.patch
This patch adds self:capability sys_ptrace to the dbus module.
[30/34] update-cron-manage-keys.patch
This patch has been added as needed after recent (> 02022011) changes
affecting the cron module.
[31/34] update-dbus-exec-bin.patch
This patch allows corecmd_exec_bin from the dbus module. This is
required to run python from dbus-daemon-launch-helper.
[32/34] update-mount-use-fds.patch
This patch allows mount to use kernel file descriptors.
[33/34] update-cron-audit-control.patch
This patch has been added as needed after recent (> 02022011) changes
affecting the cron module.
[34/34] update-cron-manage-sysadm-keys.patch
This patch has been added as needed after recent (> 02022011) changes
affecting the cron module.
Regards,
Guido