2013-11-09 09:44:42

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints()

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/mount.te | 1 -
1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 459a0ef..ea1016d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -107,7 +107,6 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
fs_dontaudit_write_tmpfs_dirs(mount_t)
--
1.8.3.1


2013-11-09 09:44:43

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 -
1 file changed, 1 deletion(-)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..374ac00 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -30,7 +30,6 @@ ifdef(`distro_redhat',`

/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)

-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)

ifdef(`distro_debian',`
--
1.8.3.1

2013-11-09 09:44:44

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/userdomain.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)

diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..06d8db1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`

########################################
## <summary>
+## Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
## Read user tmpfs files.
## </summary>
## <param name="domain">
--
1.8.3.1

2013-11-09 09:44:45

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f..183e45d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -184,6 +184,7 @@ ifdef(`distro_debian',`
avahi_create_pid_dirs(udev_t)
avahi_initrc_domtrans(udev_t)
avahi_manage_pid_files(udev_t)
+ avahi_setattr_pid_dirs(udev_t)
avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
')
')
--
1.8.3.1

2013-11-09 09:44:46

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/authlogin.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..367e920 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)

dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)
+dev_search_sysfs(chkpwd_t)

files_read_etc_files(chkpwd_t)
# for nscd
--
1.8.3.1

2013-11-09 09:44:47

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/setrans.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..8e1e27d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })

kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
+kernel_read_system_state(setrans_t)

# allow performing getpidcon() on all processes
domain_read_all_domains_state(setrans_t)
--
1.8.3.1

2013-11-09 09:44:48

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/setrans.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 8e1e27d..48aefa2 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
mls_process_read_up(setrans_t)
mls_socket_read_all_levels(setrans_t)

+selinux_getattr_fs(setrans_t)
selinux_compute_access_vector(setrans_t)

term_dontaudit_use_generic_ptys(setrans_t)
--
1.8.3.1

2013-11-09 09:44:49

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up in Debian

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/fstools.te | 5 +++++
policy/modules/system/hostname.te | 4 ++++
policy/modules/system/sysnetwork.te | 4 ++++
3 files changed, 13 insertions(+)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d30..b40e06f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)

userdom_use_user_terminals(fsadm_t)

+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(fsadm_t)
+')
+
+
ifdef(`distro_redhat',`
optional_policy(`
unconfined_domain(fsadm_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..d5d4a1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)

+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(hostname_t)
+')
+
optional_policy(`
nis_use_ypbind(hostname_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..999e142 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)

+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(ifconfig_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
--
1.8.3.1

2013-11-09 09:44:50

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.

These named file transitions make sure that these devices get created
with the proper types

This list is probably far from comprehensive because i only added the
ones i was able to confirm on my virtual machine

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/corenetwork.if.in | 25 ++++++
policy/modules/kernel/devices.if | 146 +++++++++++++++++++++++++++++++-
policy/modules/kernel/kernel.te | 42 +++++++++
policy/modules/kernel/terminal.if | 50 +++++++++++
policy/modules/system/udev.te | 4 +
5 files changed, 266 insertions(+), 1 deletion(-)

diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 07126bd..7158d4a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1993,6 +1993,31 @@ interface(`corenet_rw_tun_tap_dev',`

########################################
## <summary>
+## Create TUN/TAP virtual network devices
+## in /dev with the tun tap type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`corenet_dev_filetrans_tun_tap',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_filetrans($1, tun_tap_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..147170a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1803,7 +1803,7 @@ interface(`dev_rw_crypto',`
#
interface(`dev_setattr_dlm_control',`
gen_require(`
- type device_t, kvm_device_t;
+ type device_t, dlm_control_device_t;
')

setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
@@ -2017,6 +2017,30 @@ interface(`dev_rw_input_dev',`

########################################
## <summary>
+## Automatic type transition to the type
+## for input device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
@@ -2340,6 +2364,30 @@ interface(`dev_rw_kvm',`
rw_chr_files_pattern($1, device_t, kvm_device_t)
')

+########################################
+## <summary>
+## Automatic type transition to the type
+## for kvm device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, $2)
+')
+
######################################
## <summary>
## Read the lirc device.
@@ -2883,6 +2931,30 @@ interface(`dev_rw_mouse',`

########################################
## <summary>
+## Automatic type transition to the type
+## for mouse device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the memory type range
## registers (MTRR) device.
## </summary>
@@ -3691,6 +3763,30 @@ interface(`dev_write_sound_mixer',`

########################################
## <summary>
+## Automatic type transition to the type
+## for sound mixer device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the the power management device.
## </summary>
## <param name="domain">
@@ -4203,6 +4299,30 @@ interface(`dev_relabel_generic_usb_dev',`

########################################
## <summary>
+## Automatic type transition to the type
+## for usb device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_usb',`
+ gen_require(`
+ type device_t, usb_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
@@ -4648,6 +4768,30 @@ interface(`dev_rw_wireless',`

########################################
## <summary>
+## Automatic type transition to the type
+## for wireless device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_wireless',`
+ gen_require(`
+ type device_t, wireless_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..dd1e7e7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -285,6 +285,48 @@ mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)

+ifdef(`distro_debian',`
+ dev_filetrans_input(kernel_t, "event0")
+ dev_filetrans_input(kernel_t, "event1")
+ dev_filetrans_input(kernel_t, "event2")
+ dev_filetrans_input(kernel_t, "event3")
+ dev_filetrans_input(kernel_t, "event4")
+ dev_filetrans_input(kernel_t, "event5")
+ dev_filetrans_kvm(kernel_t, "kvm")
+ dev_filetrans_mouse(kernel_t, "js0")
+ dev_filetrans_mouse(kernel_t, "js1")
+ dev_filetrans_mouse(kernel_t, "mouse0")
+ dev_filetrans_mouse(kernel_t, "mouse1")
+ dev_filetrans_mouse(kernel_t, "mouse2")
+ dev_filetrans_sound_mixer(kernel_t, "controlC0")
+ dev_filetrans_sound_mixer(kernel_t, "hwC0D0")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0c")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0p")
+ dev_filetrans_usb(kernel_t, "001")
+ dev_filetrans_usb(kernel_t, "002")
+ dev_filetrans_wireless(kernel_t, "rfkill")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs7")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa7")
+
+ term_dev_filetrans_virtio_console(kernel_t, "vport1p1")
+')
+
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..c08b093 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1245,6 +1245,31 @@ interface(`term_use_unallocated_ttys',`

########################################
## <summary>
+## Create unallocated tty devices in /dev
+## with the unallocated tty type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_filetrans($1, tty_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write unallocated ttys.
## </summary>
@@ -1531,3 +1556,28 @@ interface(`term_use_virtio_console',`
dev_list_all_dev_nodes($1)
allow $1 virtio_device_t:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Create virtio console devices in /dev
+## with the virtio console type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ dev_filetrans($1, virtio_device_t, chr_file, $2)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 183e45d..47bfc33 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,8 +174,12 @@ sysnet_etc_filetrans_config(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)

ifdef(`distro_debian',`
+ corenet_dev_filetrans_tun_tap(udev_t, "tun")
+
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")

+ storage_dev_filetrans_fixed_disk(udev_t, "loop0")
+
optional_policy(`
# for /usr/lib/avahi/avahi-daemon-check-dns.sh
kernel_read_vm_sysctls(udev_t)
--
1.8.3.1

2013-11-09 09:44:51

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 10/39] udev: udevd executable location changed

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 374ac00..dd1a887 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)

ifdef(`distro_debian',`
+/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')
--
1.8.3.1

2013-11-09 09:44:52

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 47bfc33..f6ee5ae 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)

modutils_domtrans_insmod(udev_t)
+modutils_read_module_config(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)

--
1.8.3.1

2013-11-09 09:44:53

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/lvm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..d379ef3 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(lvm_t)
+dev_rw_sysfs(lvm_t)
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
--
1.8.3.1

2013-11-09 09:44:55

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/fstools.te | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b40e06f..6f9fde9 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -171,6 +171,11 @@ optional_policy(`
')

optional_policy(`
+ devicekit_read_pid_files(fsadm_t)
+ devicekit_append_inherited_log_files(fsadm_t)
+')
+
+optional_policy(`
hal_dontaudit_write_log(fsadm_t)
')

--
1.8.3.1

2013-11-09 09:44:56

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/sysnetwork.te | 7 +++++++
1 file changed, 7 insertions(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 999e142..a2b9820 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -201,6 +201,13 @@ optional_policy(`
')

optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_manage_lib_files(dhcpc_t)
+ networkmanager_stream_connect(dhcpc_t)
+')
+
+optional_policy(`
nis_read_ypbind_pid(dhcpc_t)
')

--
1.8.3.1

2013-11-09 09:44:57

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/iptables.te | 6 ++++++
1 file changed, 6 insertions(+)

diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..63eb287 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })

+kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -105,6 +106,11 @@ optional_policy(`
')

optional_policy(`
+ firewalld_read_config_files(iptables_t)
+ firewalld_dontaudit_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
firstboot_use_fds(iptables_t)
firstboot_rw_pipes(iptables_t)
')
--
1.8.3.1

2013-11-09 09:44:58

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 17/39] init: This should make transitions to init_script_domains() work for direct_sysadm_daemon

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 79a45f6..bc49474 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -67,7 +67,8 @@ interface(`init_script_file',`
interface(`init_script_domain',`
gen_require(`
attribute init_script_domain_type, init_script_file_type;
- attribute init_run_all_scripts_domain;
+ attribute init_run_all_scripts_domain, direct_init, direct_init_entry;
+ attribute direct_run_init;
')

typeattribute $1 init_script_domain_type;
@@ -77,6 +78,16 @@ interface(`init_script_domain',`
domain_entry_file($1, $2)

domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+
+ ifdef(`direct_sysadm_daemon',`
+ domtrans_pattern(direct_run_init, $2, $1)
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+
+ userdom_dontaudit_use_user_terminals($1)
+ ')
')

########################################
--
1.8.3.1

2013-11-09 09:44:54

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/admin/usermanage.fc | 4 ++++
policy/modules/admin/usermanage.te | 3 +++
2 files changed, 7 insertions(+)

diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..4b7737e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
')

+ifdef(`distro_debian',`
+/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
+')
+
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..471d4a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
userdom_dontaudit_search_user_home_dirs(crack_t)

ifdef(`distro_debian',`
+ allow crack_t self:process getsched;
# the package cracklib-runtime on Debian contains a daily maintenance
# script /etc/cron.daily/cracklib-runtime, that calls
# update-cracklib and that calls crack_mkdict, which is a shell script.
corecmd_exec_shell(crack_t)
+ dev_search_sysfs(crack_t)
+ miscfiles_read_localization(crack_t)
')

optional_policy(`
--
1.8.3.1

2013-11-09 09:44:59

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902d..28a2188 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)

userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })

-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(unconfined_t, unconfined_r)
+ ')
+',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ ')
+ ')
')

optional_policy(`
--
1.8.3.1

2013-11-09 09:45:00

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon )

Signed-off-by: Dominick Grift <[email protected]>
---
policy/users | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)

# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')

#
# The following users correspond to Unix identities.
--
1.8.3.1

2013-11-09 09:45:01

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index bc49474..9bce838 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,6 +998,8 @@ interface(`init_run_daemon',`
')

typeattribute $1 direct_run_init;
+
+ allow $2 system_r;
role_transition $2 direct_init_entry system_r;
')

--
1.8.3.1

2013-11-09 09:45:03

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a2b9820..5857838 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -219,6 +219,7 @@ optional_policy(`

optional_policy(`
ntp_initrc_domtrans(dhcpc_t)
+ ntp_read_drift_files(dhcpc_t)
')

optional_policy(`
--
1.8.3.1

2013-11-09 09:45:04

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 23/39] Initial local_home_t implementation

This was discussed on the maillist. It was decided to make this part of
the user domain since Python also uses local_home_t

This is part of implementation of X Desktop Group specification support

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/userdomain.fc | 1 +
policy/modules/system/userdomain.if | 190 ++++++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 3 +
3 files changed, 175 insertions(+), 19 deletions(-)

diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..ec5c90a 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,5 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:local_home_t,s0)

/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 06d8db1..189f786 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -147,7 +147,7 @@ template(`userdom_base_user_template',`
#
interface(`userdom_ro_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')

##############################
@@ -159,12 +159,12 @@ interface(`userdom_ro_home_role',`

# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
- allow $2 user_home_t:dir list_dir_perms;
- allow $2 user_home_t:file entrypoint;
- read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:dir list_dir_perms;
+ allow $2 ( local_home_t user_home_t }:file entrypoint;
+ read_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_lnk_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_fifo_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_sock_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
files_list_home($2)

tunable_policy(`use_nfs_home_dirs',`
@@ -218,7 +218,7 @@ interface(`userdom_ro_home_role',`
#
interface(`userdom_manage_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')

##############################
@@ -229,18 +229,19 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;

# full control of the home directory
- allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:file entrypoint;
+ manage_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ filetrans_pattern($2, user_home_t, local_home_t, dir, ".local")
files_list_home($2)

# cjp: this should probably be removed:
@@ -2200,6 +2201,157 @@ interface(`userdom_manage_user_home_content_sockets',`

########################################
## <summary>
+## Create generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_generic_local_home_dirs',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ allow $1 local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir list_dir_perms;
+ allow $1 local_home_t:file read_file_perms;
+ allow $1 local_home_t:fifo_file read_fifo_file_perms;
+ allow $1 local_home_t:lnk_file read_lnk_file_perms;
+ allow $1 local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir manage_dir_perms;
+ allow $1 local_home_t:file manage_file_perms;
+ allow $1 local_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 local_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_generic_local_home',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## local home directories with an automatic
+## type transition to a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_local_home_filetrans',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ filetrans_pattern($1, local_home_t, $2, $3, $4)
+ userdom_search_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic user
+## home content directories with an automatic
+## type transition to the generic local
+## home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_content_filetrans_local_home',`
+ gen_require(`
+ type user_home_t, local_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f4ac38d..d657ea7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -58,6 +58,9 @@ attribute unpriv_userdomain;

attribute user_home_content_type;

+type local_home_t;
+userdom_user_home_content(local_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
--
1.8.3.1

2013-11-09 09:45:05

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..c74ba1f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)

#
# /dev
--
1.8.3.1

2013-11-09 09:45:06

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 6 ++++++
policy/users | 7 -------
2 files changed, 6 insertions(+), 7 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 28a2188..4e4a4c5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
diff --git a/policy/users b/policy/users
index 5db8cf4..25402af 100644
--- a/policy/users
+++ b/policy/users
@@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)

-# Until order dependence is fixed for users:
-ifdef(`direct_sysadm_daemon',`
- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
-
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
--
1.8.3.1

2013-11-09 09:45:07

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..5de913e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -179,6 +179,11 @@ seutil_read_config(init_t)

miscfiles_read_localization(init_t)

+ifdef(`distro_debian',`
+fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+')
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };

--
1.8.3.1

2013-11-09 09:45:08

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/libraries.fc | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..d9408e6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -117,6 +117,10 @@ ifdef(`distro_redhat',`

/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)

+ifdef(`distro_debian',`
+/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
+')
+
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
--
1.8.3.1

2013-11-09 09:45:09

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5de913e..4691035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -180,7 +180,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)

ifdef(`distro_debian',`
-fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')

@@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
userdom_use_user_terminals(initrc_t)

ifdef(`distro_debian',`
+ kernel_getattr_core_if(initrc_t)
+
+ dev_getattr_generic_blk_files(initrc_t)
dev_setattr_generic_dirs(initrc_t)

fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
--
1.8.3.1

2013-11-09 09:45:10

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4691035..7f8797a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -450,6 +450,10 @@ ifdef(`distro_debian',`
storage_tmpfs_filetrans_fixed_disk(initrc_t)

files_setattr_etc_dirs(initrc_t)
+
+ optional_policy(`
+ exim_manage_var_lib_files(initrc_t)
+ ')
')

ifdef(`distro_gentoo',`
--
1.8.3.1

2013-11-09 09:45:11

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 8 ++++++++
1 file changed, 8 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7f8797a..cd97c98 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -454,6 +454,14 @@ ifdef(`distro_debian',`
optional_policy(`
exim_manage_var_lib_files(initrc_t)
')
+
+ optional_policy(`
+ gdomap_read_config(initrc_t)
+ ')
+
+ optional_policy(`
+ minissdpd_read_config(initrc_t)
+ ')
')

ifdef(`distro_gentoo',`
--
1.8.3.1

2013-11-09 09:45:12

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 31/39] udev: in debian udevadm is located in /bin/udevadm

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index dd1a887..0b4df21 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -12,6 +12,7 @@
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)

ifdef(`distro_debian',`
+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
')

--
1.8.3.1

2013-11-09 09:45:02

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9bce838..dc9f92b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -77,6 +77,8 @@ interface(`init_script_domain',`
domain_type($1)
domain_entry_file($1, $2)

+ role system_r types $1;
+
domtrans_pattern(init_run_all_scripts_domain, $2, $1)

ifdef(`direct_sysadm_daemon',`
--
1.8.3.1

2013-11-09 09:45:13

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/setrans.te | 4 ++++
2 files changed, 8 insertions(+)

diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..d7559d8 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)

+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
type sshd_key_t;
files_type(sshd_key_t)

diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 48aefa2..dcd7c62 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -20,6 +20,10 @@ type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)

+ifdef(`distro_debian',`
+ init_daemon_run_dir(setrans_var_run_t, "setrans")
+')
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
')
--
1.8.3.1

2013-11-09 09:45:14

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/kernel.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index dd1e7e7..d7a9b47 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;

+kernel_request_load_module(kernel_t)
+
# Allow unlabeled network traffic
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
--
1.8.3.1

2013-11-09 09:45:15

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces:

1. device_t type was used but not required
2. the interface name suggest all dev files and that includes device_t
chr/blk files as well. If the interface name would say all_dev_nodes
then it would have been a different story

In debian kernel needs to set attributes of generic device_t blk files
(/dev/dm-.*) Some how theyre created with generic device_t

In debian kernel needs to create, and set attributes of atleast the chr
files that i added named file transtion rules for but i added
permissions to kernel to create and set attributes of any chr file in
/dev ( that includes generic device_t type chr files

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.if | 12 ++++++++----
policy/modules/kernel/kernel.te | 4 ++++
2 files changed, 12 insertions(+), 4 deletions(-)

diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 147170a..afcc522 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
interface(`dev_setattr_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')

- setattr_blk_files_pattern($1, device_t, device_node)
+ setattr_blk_files_pattern($1, device_t, { device_node device_t })
')

########################################
@@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
interface(`dev_setattr_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')

- setattr_chr_files_pattern($1, device_t, device_node)
+ setattr_chr_files_pattern($1, device_t, { device_node device_t })
')

########################################
@@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
interface(`dev_create_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')

- create_blk_files_pattern($1, device_t, device_node)
+ create_blk_files_pattern($1, device_t, { device_node device_t })
')

########################################
@@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
interface(`dev_create_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')

- create_chr_files_pattern($1, device_t, device_node)
+ create_chr_files_pattern($1, device_t, { device_node device_t })
')

########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d7a9b47..b9d6a3a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)

ifdef(`distro_debian',`
+ dev_create_all_chr_files(kernel_t)
+ dev_setattr_all_blk_files(kernel_t)
+ dev_setattr_all_chr_files(kernel_t)
+
dev_filetrans_input(kernel_t, "event0")
dev_filetrans_input(kernel_t, "event1")
dev_filetrans_input(kernel_t, "event2")
--
1.8.3.1

2013-11-09 09:45:16

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 12 insertions(+)

diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..5fd339b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
')
+
+ optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
')

optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6d77e81..acc9ff7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
')
+
+ optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
')

optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 189f786..dc03698 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
gnome_role_template($1, $1_r, $1_t)
wm_role_template($1, $1_r, $1_t)
')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_t)
+ ')
')

optional_policy(`
--
1.8.3.1

2013-11-09 09:45:17

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 36/39] init: creates /run/utmp

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 2 ++
1 file changed, 2 insertions(+)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd97c98..95f2284 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)

ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
+
+allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')

--
1.8.3.1

2013-11-09 09:45:18

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t)

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..a7faaad 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -301,7 +301,7 @@ optional_policy(`
#

allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
--
1.8.3.1

2013-11-09 09:45:19

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 38/39] xserver: review this

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a7faaad..2ae8acb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)

xserver_use_user_fonts(xserver_t)

-ifndef(`distro_redhat',`
- allow xserver_t self:process { execmem execheap execstack };
- domain_mmap_low_uncond(xserver_t)
-')
+# ifndef(`distro_redhat',`
+# allow xserver_t self:process { execmem execheap execstack };
+# domain_mmap_low_uncond(xserver_t)
+# ')

ifdef(`distro_rhel4',`
allow xserver_t self:process { execmem execheap execstack };
--
1.8.3.1

2013-11-09 09:45:20

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)

It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t

Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 4 ----
1 file changed, 4 deletions(-)

diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 4e4a4c5..bb1696d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -198,10 +198,6 @@ optional_policy(`
wine_domtrans(unconfined_t)
')

-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
########################################
#
# Unconfined Execmem Local policy
--
1.8.3.1

2013-11-10 19:33:27

by Mira Ressel

[permalink] [raw]
Subject: [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.

I also experience this problem when I reconnect my mouse, so it isn't
debian-specific. I'm not a SELinux expert, but this patch looks like a
workaround to me, not like a real fix. It's also a bit limited: For
example, on my system, there are more event devices than event0 -
event5 (atm, the mouse in question is at event9).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131110/b099aaa6/attachment.bin

2013-11-10 20:58:42

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.

On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
> I also experience this problem when I reconnect my mouse, so it isn't
> debian-specific. I'm not a SELinux expert, but this patch looks like a
> workaround to me, not like a real fix. It's also a bit limited: For
> example, on my system, there are more event devices than event0 -
> event5 (atm, the mouse in question is at event9).

I consider this to be a )possible) starting point

I do not think we should add named file type transitions for every
conceivable object in /dev like i think Fedora does

Only the ones that are actually confirmed. but yes this should probably
not be distro specific.

Consider this patch a [RFC]

2013-11-11 14:21:41

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 11/10/2013 03:58 PM, Dominick Grift wrote:
> On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
>> I also experience this problem when I reconnect my mouse, so it isn't
>> debian-specific. I'm not a SELinux expert, but this patch looks like a
>> workaround to me, not like a real fix. It's also a bit limited: For
>> example, on my system, there are more event devices than event0 - event5
>> (atm, the mouse in question is at event9).
>
> I consider this to be a )possible) starting point
>
> I do not think we should add named file type transitions for every
> conceivable object in /dev like i think Fedora does
>
> Only the ones that are actually confirmed. but yes this should probably not
> be distro specific.
>
> Consider this patch a [RFC]
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
The ones we have added in Fedora have been confirmed. We just round up to
the next 10 when they happen. We add them when we see bug reports for
mislabeled devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKA5/UACgkQrlYvE4MpobMamgCgtKW39NzDr358RVqy+VqKD7yG
/y4An0sAzsWITVqxZPMBaRL3Vhs/5nRb
=9UaC
-----END PGP SIGNATURE-----

2013-12-03 13:46:56

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints()

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/mount.te | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 459a0ef..ea1016d 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -107,7 +107,6 @@ fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> fs_rw_tmpfs_chr_files(mount_t)
> fs_read_tmpfs_symlinks(mount_t)
> fs_dontaudit_write_tmpfs_dirs(mount_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:47:31

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.fc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index f41857e..374ac00 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -30,7 +30,6 @@ ifdef(`distro_redhat',`
>
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:47:54

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 39f185f..183e45d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -184,6 +184,7 @@ ifdef(`distro_debian',`
> avahi_create_pid_dirs(udev_t)
> avahi_initrc_domtrans(udev_t)
> avahi_manage_pid_files(udev_t)
> + avahi_setattr_pid_dirs(udev_t)
> avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
> ')
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:48:19

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/authlogin.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 09b791d..367e920 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> dev_read_urand(chkpwd_t)
> +dev_search_sysfs(chkpwd_t)
>
> files_read_etc_files(chkpwd_t)
> # for nscd

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:48:42

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/setrans.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 1447687..8e1e27d 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
> files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
>
> kernel_read_kernel_sysctls(setrans_t)
> -kernel_read_proc_symlinks(setrans_t)
> +kernel_read_system_state(setrans_t)
>
> # allow performing getpidcon() on all processes
> domain_read_all_domains_state(setrans_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:48:58

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 47bfc33..f6ee5ae 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
> miscfiles_read_hwdata(udev_t)
>
> modutils_domtrans_insmod(udev_t)
> +modutils_read_module_config(udev_t)
> # read modules.inputmap:
> modutils_read_module_deps(udev_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:49:12

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/fstools.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index b40e06f..6f9fde9 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -171,6 +171,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_read_pid_files(fsadm_t)
> + devicekit_append_inherited_log_files(fsadm_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_write_log(fsadm_t)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:49:35

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 999e142..a2b9820 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -201,6 +201,13 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_domtrans(dhcpc_t)
> + networkmanager_read_pid_files(dhcpc_t)
> + networkmanager_manage_lib_files(dhcpc_t)
> + networkmanager_stream_connect(dhcpc_t)
> +')
> +
> +optional_policy(`
> nis_read_ypbind_pid(dhcpc_t)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:51:32

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a2b9820..5857838 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -219,6 +219,7 @@ optional_policy(`
>
> optional_policy(`
> ntp_initrc_domtrans(dhcpc_t)
> + ntp_read_drift_files(dhcpc_t)
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:51:47

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/ssh.te | 4 ++++
> policy/modules/system/setrans.te | 4 ++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index cc877c7..d7559d8 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
> ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(sshd_var_run_t, "sshd")
> +')
> +
> type sshd_key_t;
> files_type(sshd_key_t)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 48aefa2..dcd7c62 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -20,6 +20,10 @@ type setrans_var_run_t;
> files_pid_file(setrans_var_run_t)
> mls_trusted_object(setrans_var_run_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(setrans_var_run_t, "setrans")
> +')
> +
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:52:02

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/kernel.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index dd1e7e7..d7a9b47 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_request_load_module(kernel_t)
> +
> # Allow unlabeled network traffic
> allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> corenet_in_generic_if(unlabeled_t)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:52:54

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t)

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8b40377..a7faaad 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -301,7 +301,7 @@ optional_policy(`
> #
>
> allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
> -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
> +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
> allow xdm_t self:fifo_file rw_fifo_file_perms;
> allow xdm_t self:shm create_shm_perms;
> allow xdm_t self:sem create_sem_perms;

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 13:53:11

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)

On 11/09/13 04:45, Dominick Grift wrote:
> It would not be sufficient in the current shape anyways because
> unconfined_r is not associated with xserver_t
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 4e4a4c5..bb1696d 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -198,10 +198,6 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
> -optional_policy(`
> - xserver_domtrans(unconfined_t)
> -')
> -
> ########################################
> #
> # Unconfined Execmem Local policy

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 18:29:51

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/userdomain.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9dc60c6..06d8db1 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
>
> ########################################
> ## <summary>
> +## Delete user tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_tmpfs_files',`
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
> + fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read user tmpfs files.
> ## </summary>
> ## <param name="domain">

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 18:30:08

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/setrans.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 8e1e27d..48aefa2 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
> mls_process_read_up(setrans_t)
> mls_socket_read_all_levels(setrans_t)
>
> +selinux_getattr_fs(setrans_t)
> selinux_compute_access_vector(setrans_t)
>
> term_dontaudit_use_generic_ptys(setrans_t)

Instead of merging this, I replaced the seutil_read_config() with seutil_libselinux_linked(). It has the above access that you wanted to add.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 18:30:13

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up in Debian

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>

Merged, with a whitespace fix.

> ---
> policy/modules/system/fstools.te | 5 +++++
> policy/modules/system/hostname.te | 4 ++++
> policy/modules/system/sysnetwork.te | 4 ++++
> 3 files changed, 13 insertions(+)
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 3f48d30..b40e06f 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
>
> userdom_use_user_terminals(fsadm_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(fsadm_t)
> +')
> +
> +
> ifdef(`distro_redhat',`
> optional_policy(`
> unconfined_domain(fsadm_t)
> diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
> index 24a7889..d5d4a1c 100644
> --- a/policy/modules/system/hostname.te
> +++ b/policy/modules/system/hostname.te
> @@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
> sysnet_read_config(hostname_t)
> sysnet_dns_name_resolve(hostname_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(hostname_t)
> +')
> +
> optional_policy(`
> nis_use_ypbind(hostname_t)
> ')
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a392fc4..999e142 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
> userdom_use_user_terminals(ifconfig_t)
> userdom_use_all_users_fds(ifconfig_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(ifconfig_t)
> +')
> +
> ifdef(`distro_ubuntu',`
> optional_policy(`
> unconfined_domain(ifconfig_t)
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 18:30:19

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 10/39] udev: udevd executable location changed

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 374ac00..dd1a887 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> +/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-03 18:30:23

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/lvm.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 79048c4..d379ef3 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
> dev_relabel_generic_dev_dirs(lvm_t)
> dev_manage_generic_blk_files(lvm_t)
> # Read /sys/block. Device mapper metadata is kept there.
> -dev_read_sysfs(lvm_t)
> +dev_rw_sysfs(lvm_t)
> # cjp: this has no effect since LVM does not
> # have lnk_file relabelto for anything else.
> # perhaps this should be blk_files?

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-05 14:21:40

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 38/39] xserver: review this

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index a7faaad..2ae8acb 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
>
> xserver_use_user_fonts(xserver_t)
>
> -ifndef(`distro_redhat',`
> - allow xserver_t self:process { execmem execheap execstack };
> - domain_mmap_low_uncond(xserver_t)
> -')
> +# ifndef(`distro_redhat',`
> +# allow xserver_t self:process { execmem execheap execstack };
> +# domain_mmap_low_uncond(xserver_t)
> +# ')
>
> ifdef(`distro_rhel4',`
> allow xserver_t self:process { execmem execheap execstack };
>

I suspect this can be removed, not just commented out. Sven, can you confirm on Gentoo?

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-05 14:24:33

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [PATCH 38/39] xserver: review this

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/05/2013 09:21 AM, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <[email protected]> ---
>> policy/modules/services/xserver.te | 8 ++++---- 1 file changed, 4
>> insertions(+), 4 deletions(-)
>>
>> diff --git a/policy/modules/services/xserver.te
>> b/policy/modules/services/xserver.te index a7faaad..2ae8acb 100644 ---
>> a/policy/modules/services/xserver.te +++
>> b/policy/modules/services/xserver.te @@ -741,10 +741,10 @@
>> userdom_rw_user_tmpfs_files(xserver_t)
>>
>> xserver_use_user_fonts(xserver_t)
>>
>> -ifndef(`distro_redhat',` - allow xserver_t self:process { execmem
>> execheap execstack }; - domain_mmap_low_uncond(xserver_t) -') +#
>> ifndef(`distro_redhat',` +# allow xserver_t self:process { execmem
>> execheap execstack }; +# domain_mmap_low_uncond(xserver_t) +# ')
>>
>> ifdef(`distro_rhel4',` allow xserver_t self:process { execmem execheap
>> execstack };
>>
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
Yes just remove it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKgjKEACgkQrlYvE4MpobMu3gCfTnyROmzZDASGXSFwLRShAh+M
ulAAn30rmZ8uS+vMFVVADisay/CnTfh9
=rxIQ
-----END PGP SIGNATURE-----

2013-12-06 13:28:10

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 6 ++++++
> policy/users | 7 -------
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 28a2188..4e4a4c5 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> optional_policy(`
> unconfined_dbus_chat(unconfined_execmem_t)
> ')
> +
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
> diff --git a/policy/users b/policy/users
> index 5db8cf4..25402af 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> -# Until order dependence is fixed for users:
> -ifdef(`direct_sysadm_daemon',`
> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -',`
> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -')
> -
> #
> # The following users correspond to Unix identities.
> # These identities are typically assigned as the user attribute

I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.

Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 13:34:48

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 8274418..c74ba1f 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #

Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 13:49:34

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed

On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/system/unconfined.te | 6 ++++++
> > policy/users | 7 -------
> > 2 files changed, 6 insertions(+), 7 deletions(-)
> >
> > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> > index 28a2188..4e4a4c5 100644
> > --- a/policy/modules/system/unconfined.te
> > +++ b/policy/modules/system/unconfined.te
> > @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> > optional_policy(`
> > unconfined_dbus_chat(unconfined_execmem_t)
> > ')
> > +
> > +ifdef(`direct_sysadm_daemon',`
> > + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +',`
> > + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +')
> > diff --git a/policy/users b/policy/users
> > index 5db8cf4..25402af 100644
> > --- a/policy/users
> > +++ b/policy/users
> > @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> > gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > -# Until order dependence is fixed for users:
> > -ifdef(`direct_sysadm_daemon',`
> > - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -',`
> > - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -')
> > -
> > #
> > # The following users correspond to Unix identities.
> > # These identities are typically assigned as the user attribute
>
> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>
> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>

Ouch, i seem to not have tested that. i should follow my own advice.
problem is monolithic builts take so long. Atleast with modular you can
cheat by skipping the assertion checking (although i should not do that
either)

Do you think this error might be related to that?

> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
> typeattribute user_t domain;
> #line 13
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>

2013-12-06 13:50:21

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 5fe902d..28a2188 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)
>
> userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
>
> -ifdef(`distro_gentoo',`
> - seutil_run_runinit(unconfined_t, unconfined_r)
> - seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> +ifdef(`direct_sysadm_daemon',`
> + optional_policy(`
> + init_run_daemon(unconfined_t, unconfined_r)
> + ')
> +',`
> + ifdef(`distro_gentoo',`
> + optional_policy(`
> + seutil_run_runinit(unconfined_t, unconfined_r)
> + seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> + ')
> + ')
> ')

I get an error:

/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
#line 52
role_transition unconfined_r direct_init_entry system_r;
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.29] Error 1


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 13:56:25

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/services/xserver.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> > index 8274418..c74ba1f 100644
> > --- a/policy/modules/services/xserver.fc
> > +++ b/policy/modules/services/xserver.fc
> > @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> >
> > #
>
> Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.
>

I can't tell, both xdm_t as well as xauth_t are currently allowed to
create files in user home directories with the xauth_home_t type

Does it make sense for a efficiency/security standpoint to create new
type for this?

Anyways if you want a new type for this then drop this patch for now

2013-12-06 13:59:32

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/06/2013 08:56 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <[email protected]> ---
>>> policy/modules/services/xserver.fc | 1 + 1 file changed, 1
>>> insertion(+)
>>>
>>> diff --git a/policy/modules/services/xserver.fc
>>> b/policy/modules/services/xserver.fc index 8274418..c74ba1f 100644 ---
>>> a/policy/modules/services/xserver.fc +++
>>> b/policy/modules/services/xserver.fc @@ -9,6 +9,7 @@
>>> HOME_DIR/\.ICEauthority.* --
>>> gen_context(system_u:object_r:iceauth_home_t,s0)
>>> HOME_DIR/\.serverauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.*
>>> -- gen_context(system_u:object_r:xauth_home_t,s0)
>>> +HOME_DIR/\.xsession-errors.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0)
>>>
>>> #
>>
>> Does xauth create this log? If xdm does, then it makes more sense to
>> have an xdm derived type. Otherwise I don't see why this shouldn't be
>> user_home_t.
>>
>
> I can't tell, both xdm_t as well as xauth_t are currently allowed to create
> files in user home directories with the xauth_home_t type
>
> Does it make sense for a efficiency/security standpoint to create new type
> for this?
>
> Anyways if you want a new type for this then drop this patch for now
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
In fedora we have xdm_home_t.

matchpathcon ~/.xsession-errors
/home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKh2EQACgkQrlYvE4MpobOFPgCggrH02jfz/XJD+/EGifWNQqgX
5AIAnRDmx9AEzxw2glJ7lU+rrvTQZrAZ
=iKvZ
-----END PGP SIGNATURE-----

2013-12-06 14:21:03

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed

On 12/06/13 08:49, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <[email protected]>
>>> ---
>>> policy/modules/system/unconfined.te | 6 ++++++
>>> policy/users | 7 -------
>>> 2 files changed, 6 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 28a2188..4e4a4c5 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
>>> optional_policy(`
>>> unconfined_dbus_chat(unconfined_execmem_t)
>>> ')
>>> +
>>> +ifdef(`direct_sysadm_daemon',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +')
>>> diff --git a/policy/users b/policy/users
>>> index 5db8cf4..25402af 100644
>>> --- a/policy/users
>>> +++ b/policy/users
>>> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
>>> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
>>> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>>
>>> -# Until order dependence is fixed for users:
>>> -ifdef(`direct_sysadm_daemon',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -')
>>> -
>>> #
>>> # The following users correspond to Unix identities.
>>> # These identities are typically assigned as the user attribute
>>
>> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>>
>> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>>
>
> Ouch, i seem to not have tested that. i should follow my own advice.
> problem is monolithic builts take so long. Atleast with modular you can
> cheat by skipping the assertion checking (although i should not do that
> either)
>
> Do you think this error might be related to that?

It could be, but a further inspection of the policy.conf would be required, since the error message by itself isn't very helpful.

>> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
>> typeattribute user_t domain;
>> #line 13
>> checkpolicy: error(s) encountered while parsing configuration
>> make: *** [policy.29] Error 1
>>
>
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 14:28:03

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon )

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/users | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/policy/users b/policy/users
> index c4ebc7e..5db8cf4 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> # Until order dependence is fixed for users:
> -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
>
> #
> # The following users correspond to Unix identities.

Skipping this for now since the corresponding other change in unconfined has that transition conflict.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 14:29:37

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:

> In fedora we have xdm_home_t.
>
> matchpathcon ~/.xsession-errors
> /home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0
>
>

Thanks, yes i know, the question i have is, is it worth it to create a
private type for this.

2013-12-06 14:33:08

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well

On Fri, 2013-12-06 at 08:50 -0500, Christopher J. PeBenito wrote:

> I get an error:
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
> #line 52
> role_transition unconfined_r direct_init_entry system_r;
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>
>

Monolithic i assume. Because i did not see this in modular builts.

This can probably be easily fixed though

What is more important to me right now is to know that you are not
opposed to the idea of making direct_sysadm_daemon apply to unconfined_t
in general.

I am sorry though about all these built errors i should have tested it
more thoroughly...

2013-12-06 14:50:25

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/admin/usermanage.fc | 4 ++++
> policy/modules/admin/usermanage.te | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
> index f82f0ce..4b7737e 100644
> --- a/policy/modules/admin/usermanage.fc
> +++ b/policy/modules/admin/usermanage.fc
> @@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
> /bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
> ')
>
> +ifdef(`distro_debian',`
> +/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
> +')
> +
> /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
> /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
> /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1d732f1..471d4a7 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
> userdom_dontaudit_search_user_home_dirs(crack_t)
>
> ifdef(`distro_debian',`
> + allow crack_t self:process getsched;
> # the package cracklib-runtime on Debian contains a daily maintenance
> # script /etc/cron.daily/cracklib-runtime, that calls
> # update-cracklib and that calls crack_mkdict, which is a shell script.
> corecmd_exec_shell(crack_t)
> + dev_search_sysfs(crack_t)
> + miscfiles_read_localization(crack_t)
> ')
>
> optional_policy(`

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 14:50:29

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.

On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/iptables.te | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index be8ed1e..63eb287 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
> allow iptables_t iptables_tmp_t:file manage_file_perms;
> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>
> +kernel_getattr_proc(iptables_t)
> kernel_request_load_module(iptables_t)
> kernel_read_system_state(iptables_t)
> kernel_read_network_state(iptables_t)
> @@ -105,6 +106,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + firewalld_read_config_files(iptables_t)
> + firewalld_dontaudit_rw_tmp_files(iptables_t)
> +')
> +
> +optional_policy(`
> firstboot_use_fds(iptables_t)
> firstboot_rw_pipes(iptables_t)
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 14:50:47

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/libraries.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
> index 73bb3c0..d9408e6 100644
> --- a/policy/modules/system/libraries.fc
> +++ b/policy/modules/system/libraries.fc
> @@ -117,6 +117,10 @@ ifdef(`distro_redhat',`
>
> /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>
> +ifdef(`distro_debian',`
> +/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
> +')
> +
> /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 14:50:56

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/roles/staff.te | 4 ++++
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 0fef1fc..5fd339b 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(staff, staff_r, staff_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(staff_r, staff_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 6d77e81..acc9ff7 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(user, user_r, user_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(user_r, user_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 189f786..dc03698 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
> gnome_role_template($1, $1_r, $1_t)
> wm_role_template($1, $1_r, $1_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role($1_r, $1_t)
> + ')
> ')
>

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-06 15:35:44

by Daniel Walsh

[permalink] [raw]
Subject: [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 12/06/2013 09:29 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:
>
>> In fedora we have xdm_home_t.
>>
>> matchpathcon ~/.xsession-errors /home/dwalsh/.xsession-errors
>> staff_u:object_r:xdm_home_t:s0
>>
>>
>
> Thanks, yes i know, the question i have is, is it worth it to create a
> private type for this.
>
>
Maybe not. At least gdm and kdm no longer create this content, I think they
are writing it to journald now.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlKh7tAACgkQrlYvE4MpobN3SwCfe7IPBQlzPwdRLtwLCj6SrF8f
ABcAoOLZcLFBCR8C9XuyiRPZGbD8EMHK
=f6kz
-----END PGP SIGNATURE-----

2013-12-06 16:22:44

by sven.vermeulen

[permalink] [raw]
Subject: [refpolicy] [PATCH 38/39] xserver: review this

I auditallow'ed the statements to see if they were triggered during a
normal x session (startup, some spps, shutdown) and they were not, so ok to
remove.
On Dec 5, 2013 3:22 PM, "Christopher J. PeBenito" <[email protected]>
wrote:

> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/services/xserver.te | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/policy/modules/services/xserver.te
> b/policy/modules/services/xserver.te
> > index a7faaad..2ae8acb 100644
> > --- a/policy/modules/services/xserver.te
> > +++ b/policy/modules/services/xserver.te
> > @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
> >
> > xserver_use_user_fonts(xserver_t)
> >
> > -ifndef(`distro_redhat',`
> > - allow xserver_t self:process { execmem execheap execstack };
> > - domain_mmap_low_uncond(xserver_t)
> > -')
> > +# ifndef(`distro_redhat',`
> > +# allow xserver_t self:process { execmem execheap execstack };
> > +# domain_mmap_low_uncond(xserver_t)
> > +# ')
> >
> > ifdef(`distro_rhel4',`
> > allow xserver_t self:process { execmem execheap execstack };
> >
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20131206/f55466a5/attachment.html

2013-12-06 16:32:37

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 38/39] xserver: review this

On Fri, 2013-12-06 at 17:22 +0100, Sven Vermeulen wrote:
> I auditallow'ed the statements to see if they were triggered during a
> normal x session (startup, some spps, shutdown) and they were not, so ok to
> remove.

Thanks, i will submit a patch that removes these

2013-12-10 15:40:52

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index bc49474..9bce838 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -998,6 +998,8 @@ interface(`init_run_daemon',`
> ')
>
> typeattribute $1 direct_run_init;
> +
> + allow $2 system_r;
> role_transition $2 direct_init_entry system_r;
> ')

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-10 15:40:58

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 9bce838..dc9f92b 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -77,6 +77,8 @@ interface(`init_script_domain',`
> domain_type($1)
> domain_entry_file($1, $2)
>
> + role system_r types $1;
> +
> domtrans_pattern(init_run_all_scripts_domain, $2, $1)
>
> ifdef(`direct_sysadm_daemon',`

This failed to apply for me; it's been manually applied.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-10 15:41:03

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 17eda24..5de913e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -179,6 +179,11 @@ seutil_read_config(init_t)
>
> miscfiles_read_localization(init_t)
>
> +ifdef(`distro_debian',`
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> +')
> +
> ifdef(`distro_gentoo',`
> allow init_t self:process { getcap setcap };

Merged with whitespace fix.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-10 15:41:09

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 36/39] init: creates /run/utmp

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index cd97c98..95f2284 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> +
> +allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')

Merged manually due to a whitespace fix on the prior patch.


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-14 18:24:50

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

On Sat, 2013-11-09 at 10:45 +0100, Dominick Grift wrote:

Please merge this patch asap.

Current refpolicy does not build without this patch
This was a rebase mistake by me.

> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)

2013-12-20 19:56:36

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 4691035..7f8797a 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -450,6 +450,10 @@ ifdef(`distro_debian',`
> storage_tmpfs_filetrans_fixed_disk(initrc_t)
>
> files_setattr_etc_dirs(initrc_t)
> +
> + optional_policy(`
> + exim_manage_var_lib_files(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-20 19:56:44

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files

On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 7f8797a..cd97c98 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -454,6 +454,14 @@ ifdef(`distro_debian',`
> optional_policy(`
> exim_manage_var_lib_files(initrc_t)
> ')
> +
> + optional_policy(`
> + gdomap_read_config(initrc_t)
> + ')
> +
> + optional_policy(`
> + minissdpd_read_config(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`

Merged.

--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2013-12-20 19:56:53

by cpebenito

[permalink] [raw]
Subject: [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces:

On 11/09/13 04:45, Dominick Grift wrote:
> 1. device_t type was used but not required
> 2. the interface name suggest all dev files and that includes device_t
> chr/blk files as well. If the interface name would say all_dev_nodes
> then it would have been a different story
>
> In debian kernel needs to set attributes of generic device_t blk files
> (/dev/dm-.*) Some how theyre created with generic device_t
>
> In debian kernel needs to create, and set attributes of atleast the chr
> files that i added named file transtion rules for but i added
> permissions to kernel to create and set attributes of any chr file in
> /dev ( that includes generic device_t type chr files

Fails to apply for me.



> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/devices.if | 12 ++++++++----
> policy/modules/kernel/kernel.te | 4 ++++
> 2 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 147170a..afcc522 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
> interface(`dev_setattr_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_blk_files_pattern($1, device_t, device_node)
> + setattr_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
> interface(`dev_setattr_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_chr_files_pattern($1, device_t, device_node)
> + setattr_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
> interface(`dev_create_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_blk_files_pattern($1, device_t, device_node)
> + create_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
> interface(`dev_create_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_chr_files_pattern($1, device_t, device_node)
> + create_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d7a9b47..b9d6a3a 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
> mls_file_read_all_levels(kernel_t)
>
> ifdef(`distro_debian',`
> + dev_create_all_chr_files(kernel_t)
> + dev_setattr_all_blk_files(kernel_t)
> + dev_setattr_all_chr_files(kernel_t)
> +
> dev_filetrans_input(kernel_t, "event0")
> dev_filetrans_input(kernel_t, "event1")
> dev_filetrans_input(kernel_t, "event2")
>


--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com

2014-02-06 19:56:08

by Laurent Bigonville

[permalink] [raw]
Subject: [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

Le Sat, 9 Nov 2013 10:45:09 +0100,
Dominick Grift <[email protected]> a ?crit :

> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)

Hi,

Apparently this patch has never been merged (but the first chunk is not
applying anymore), should I repropose it or would you have the time to
do it?

Cheers,

Laurent Bigonville

2014-02-07 08:15:38

by dominick.grift

[permalink] [raw]
Subject: [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file

On Thu, 2014-02-06 at 20:56 +0100, Laurent Bigonville wrote:
> Le Sat, 9 Nov 2013 10:45:09 +0100,
> Dominick Grift <[email protected]> a ?crit :
>
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/system/init.te | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/init.te
> > b/policy/modules/system/init.te index 5de913e..4691035 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> > miscfiles_read_localization(init_t)
> >
> > ifdef(`distro_debian',`
> > -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> > +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> > ')
> >
> > @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> > userdom_use_user_terminals(initrc_t)
> >
> > ifdef(`distro_debian',`
> > + kernel_getattr_core_if(initrc_t)
> > +
> > + dev_getattr_generic_blk_files(initrc_t)
> > dev_setattr_generic_dirs(initrc_t)
> >
> > fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
>
> Hi,
>
> Apparently this patch has never been merged (but the first chunk is not
> applying anymore), should I repropose it or would you have the time to
> do it?
>
> Cheers,

I lost the passphrase of my ssh key for contrib so probably best to
resumbit a new patch because i wont be able to commit this
>
> Laurent Bigonville