2013-03-10 14:52:44

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 0/6] Minor updates on contrib

Set of minor updates on the contrib modules

Sven Vermeulen (6):
mplayer streams HTTP resources
fcron and fcronsighup binaries are moved
Add in contexts for fcron rm.systab and systab.tmp
Asterisk needs to search through logs
Denial in mail log on node bind
Fix typo in mcelog_admin (missing bracket)

asterisk.te | 1 +
cron.fc | 5 +++++
mcelog.if | 2 +-
mplayer.te | 3 +++
postfix.te | 2 ++
5 files changed, 12 insertions(+), 1 deletion(-)

--
1.8.1.5


2013-03-10 14:52:45

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/6] mplayer streams HTTP resources

Needed to allow mplayer to stream HTTP resources (like webradios).

Signed-off-by: Sven Vermeulen <[email protected]>
---
mplayer.te | 3 +++
1 file changed, 3 insertions(+)

diff --git a/mplayer.te b/mplayer.te
index 9aca704..802e494 100644
--- a/mplayer.te
+++ b/mplayer.te
@@ -130,6 +130,7 @@ tunable_policy(`use_samba_home_dirs',`
allow mplayer_t self:process { signal_perms getsched };
allow mplayer_t self:fifo_file rw_fifo_file_perms;
allow mplayer_t self:sem create_sem_perms;
+allow mplayer_t self:udp_socket create_socket_perms;

allow mplayer_t mplayer_etc_t:dir list_dir_perms;
allow mplayer_t mplayer_etc_t:file read_file_perms;
@@ -155,6 +156,8 @@ kernel_read_kernel_sysctls(mplayer_t)
corecmd_exec_bin(mplayer_t)
corecmd_exec_shell(mplayer_t)

+corenet_tcp_connect_http_port(mplayer_t)
+
dev_read_rand(mplayer_t)
dev_read_realtime_clock(mplayer_t)
dev_read_sound_mixer(mplayer_t)
--
1.8.1.5

2013-03-10 14:52:46

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/6] fcron and fcronsighup binaries are moved

In fcron 3.1.1, the fcron and fcronsighup binaries are moved into /usr/libexec.

Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.fc | 3 +++
1 file changed, 3 insertions(+)

diff --git a/cron.fc b/cron.fc
index 6e76215..d4fbcfd 100644
--- a/cron.fc
+++ b/cron.fc
@@ -6,6 +6,9 @@
/usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
/usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)

+/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
+/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crond_exec_t,s0)
+
/usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
/usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
/usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)
--
1.8.1.5

2013-03-10 14:52:47

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/6] Add in contexts for fcron rm.systab and systab.tmp


Signed-off-by: Sven Vermeulen <[email protected]>
---
cron.fc | 2 ++
1 file changed, 2 insertions(+)

diff --git a/cron.fc b/cron.fc
index d4fbcfd..cab22a1 100644
--- a/cron.fc
+++ b/cron.fc
@@ -44,7 +44,9 @@
/var/spool/fcron/.* <<none>>
/var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
/var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
+/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)

ifdef(`distro_debian',`
/var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)
--
1.8.1.5

2013-03-10 14:52:48

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/6] Asterisk needs to search through logs

Allow asterisk to search through the log files, otherwise the following error is
received:

asterisk: ERROR[23298]: cdr_csv.c:318 in csv_log: Unable to re-open master file
/var/log/asterisk//cdr-csv//Master.csv : Permission denied

Signed-off-by: Sven Vermeulen <[email protected]>
---
asterisk.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/asterisk.te b/asterisk.te
index 5439f1c..c436f9f 100644
--- a/asterisk.te
+++ b/asterisk.te
@@ -146,6 +146,7 @@ fs_search_auto_mountpoints(asterisk_t)

auth_use_nsswitch(asterisk_t)

+logging_search_logs(asterisk_t)
logging_send_syslog_msg(asterisk_t)

miscfiles_read_localization(asterisk_t)
--
1.8.1.5

2013-03-10 14:52:49

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/6] Denial in mail log on node bind

When mails are sent to an IPv6-enabled server, the following denial is otherwise
shown in the mail logs:

postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied

Signed-off-by: Sven Vermeulen <[email protected]>
---
postfix.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/postfix.te b/postfix.te
index 191a66f..dd59b2a 100644
--- a/postfix.te
+++ b/postfix.te
@@ -702,6 +702,8 @@ allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;

rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)

+corenet_tcp_bind_generic_node(postfix_smtp_t)
+
optional_policy(`
cyrus_stream_connect(postfix_smtp_t)
')
--
1.8.1.5

2013-03-10 14:52:50

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/6] Fix typo in mcelog_admin (missing bracket)


Signed-off-by: Sven Vermeulen <[email protected]>
---
mcelog.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/mcelog.if b/mcelog.if
index 9dbe694..f89651e 100644
--- a/mcelog.if
+++ b/mcelog.if
@@ -56,6 +56,6 @@ interface(`mcelog_admin',`
logging_search_logs($1)
admin_pattern($1, mcelog_log_t)

- files_search_pids($1
+ files_search_pids($1)
admin_pattern($1, mcelog_var_run_t)
')
--
1.8.1.5

2013-03-11 07:04:55

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/6] Add in contexts for fcron rm.systab and systab.tmp

Are the fcron source patches being maintained again?
--
My blog http://etbe.coker.com.au
Sent from a Galaxy S3
Android phone with K-9 Mail.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130311/414a6040/attachment.html

2013-03-11 07:42:03

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/6] Add in contexts for fcron rm.systab and systab.tmp

On Mar 11, 2013 8:15 AM, "Russell Coker" <[email protected]> wrote:
>
> Are the fcron source patches being maintained again?

As long as I can get it to work by updating the policy (and as long as
Gentoo package maintainers continue with it) I continue with it ;-)
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130311/8044b9e0/attachment.html

2013-03-11 08:24:57

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 6/6] Fix typo in mcelog_admin (missing bracket)

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>

Merged, Thanks
> ---
> mcelog.if | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/mcelog.if b/mcelog.if
> index 9dbe694..f89651e 100644
> --- a/mcelog.if
> +++ b/mcelog.if
> @@ -56,6 +56,6 @@ interface(`mcelog_admin',`
> logging_search_logs($1)
> admin_pattern($1, mcelog_log_t)
>
> - files_search_pids($1
> + files_search_pids($1)
> admin_pattern($1, mcelog_var_run_t)
> ')

2013-03-11 08:22:58

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 2/6] fcron and fcronsighup binaries are moved

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> In fcron 3.1.1, the fcron and fcronsighup binaries are moved into /usr/libexec.

Merged with changes: fcronsighup is crontab_exec_t. Thanks

>
> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> cron.fc | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/cron.fc b/cron.fc
> index 6e76215..d4fbcfd 100644
> --- a/cron.fc
> +++ b/cron.fc
> @@ -6,6 +6,9 @@
> /usr/bin/at -- gen_context(system_u:object_r:crontab_exec_t,s0)
> /usr/bin/(f)?crontab -- gen_context(system_u:object_r:crontab_exec_t,s0)
>
> +/usr/libexec/fcron -- gen_context(system_u:object_r:crond_exec_t,s0)
> +/usr/libexec/fcronsighup -- gen_context(system_u:object_r:crond_exec_t,s0)
> +
> /usr/sbin/anacron -- gen_context(system_u:object_r:anacron_exec_t,s0)
> /usr/sbin/atd -- gen_context(system_u:object_r:crond_exec_t,s0)
> /usr/sbin/cron(d)? -- gen_context(system_u:object_r:crond_exec_t,s0)

2013-03-11 08:24:32

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 5/6] Denial in mail log on node bind

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> When mails are sent to an IPv6-enabled server, the following denial is otherwise
> shown in the mail logs:
>
> postfix/smtp[7620]: warning: smtp_connect_addr: bind <local_ipv6>: Permission denied
>

Merged. The original gentoo bugzilla here has additional details of this
event: https://bugs.gentoo.org/show_bug.cgi?id=453990

Thanks

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> postfix.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/postfix.te b/postfix.te
> index 191a66f..dd59b2a 100644
> --- a/postfix.te
> +++ b/postfix.te
> @@ -702,6 +702,8 @@ allow postfix_smtp_t { postfix_prng_t postfix_spool_t }:file rw_file_perms;
>
> rw_files_pattern(postfix_smtp_t, postfix_spool_maildrop_t, postfix_spool_maildrop_t)
>
> +corenet_tcp_bind_generic_node(postfix_smtp_t)
> +
> optional_policy(`
> cyrus_stream_connect(postfix_smtp_t)
> ')

2013-03-11 08:23:21

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 4/6] Asterisk needs to search through logs

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Allow asterisk to search through the log files, otherwise the following error is
> received:
>
> asterisk: ERROR[23298]: cdr_csv.c:318 in csv_log: Unable to re-open master file
> /var/log/asterisk//cdr-csv//Master.csv : Permission denied
>

Merged, thanks

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> asterisk.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/asterisk.te b/asterisk.te
> index 5439f1c..c436f9f 100644
> --- a/asterisk.te
> +++ b/asterisk.te
> @@ -146,6 +146,7 @@ fs_search_auto_mountpoints(asterisk_t)
>
> auth_use_nsswitch(asterisk_t)
>
> +logging_search_logs(asterisk_t)
> logging_send_syslog_msg(asterisk_t)
>
> miscfiles_read_localization(asterisk_t)

2013-03-11 08:22:17

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 1/6] mplayer streams HTTP resources

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Needed to allow mplayer to stream HTTP resources (like webradios).

Merged with additional networking rules for compatibility, Thanks

> Signed-off-by: Sven Vermeulen <[email protected]>
> ---
> mplayer.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/mplayer.te b/mplayer.te
> index 9aca704..802e494 100644
> --- a/mplayer.te
> +++ b/mplayer.te
> @@ -130,6 +130,7 @@ tunable_policy(`use_samba_home_dirs',`
> allow mplayer_t self:process { signal_perms getsched };
> allow mplayer_t self:fifo_file rw_fifo_file_perms;
> allow mplayer_t self:sem create_sem_perms;
> +allow mplayer_t self:udp_socket create_socket_perms;
>
> allow mplayer_t mplayer_etc_t:dir list_dir_perms;
> allow mplayer_t mplayer_etc_t:file read_file_perms;
> @@ -155,6 +156,8 @@ kernel_read_kernel_sysctls(mplayer_t)
> corecmd_exec_bin(mplayer_t)
> corecmd_exec_shell(mplayer_t)
>
> +corenet_tcp_connect_http_port(mplayer_t)
> +
> dev_read_rand(mplayer_t)
> dev_read_realtime_clock(mplayer_t)
> dev_read_sound_mixer(mplayer_t)

2013-03-11 08:25:21

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/6] Add in contexts for fcron rm.systab and systab.tmp

On Sun, 2013-03-10 at 15:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <[email protected]>

Merged, Thanks

> ---
> cron.fc | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/cron.fc b/cron.fc
> index d4fbcfd..cab22a1 100644
> --- a/cron.fc
> +++ b/cron.fc
> @@ -44,7 +44,9 @@
> /var/spool/fcron/.* <<none>>
> /var/spool/fcron/systab\.orig -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> /var/spool/fcron/systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> +/var/spool/fcron/systab\.tmp -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> /var/spool/fcron/new\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
> +/var/spool/fcron/rm\.systab -- gen_context(system_u:object_r:system_cron_spool_t,s0)
>
> ifdef(`distro_debian',`
> /var/spool/cron/atjobs -d gen_context(system_u:object_r:cron_spool_t,s0)

2013-03-12 23:35:56

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH 3/6] Add in contexts for fcron rm.systab and systab.tmp

On Mon, 11 Mar 2013, Sven Vermeulen <[email protected]> wrote:
> As long as I can get it to work by updating the policy (and as long as
> Gentoo package maintainers continue with it) I continue with it ;-)

How can I get the Gentoo patches for the fcron package?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/