The attached patch against the latest subversion tree strictly applies to
Debian related things.
--
russell at coker.com.au
http://etbe.coker.com.au/ My Blog
http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
-------------- next part --------------
A non-text attachment was scrubbed...
Name: diff-debian
Type: text/x-diff
Size: 16651 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20080929/aa9f918d/attachment.bin
On Mon, Sep 29, 2008 at 08:32:12PM +1000, Russell Coker wrote:
> The attached patch against the latest subversion tree strictly applies to
> Debian related things.
>
> --
> russell at coker.com.au
> http://etbe.coker.com.au/ My Blog
>
> http://www.coker.com.au/sponsorship.html Sponsoring Free Software development
> diff -ruw policy/modules/admin/acct.fc /tmp/new-pol/modules/admin/acct.fc
> --- policy/modules/admin/acct.fc 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/acct.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -5,4 +5,9 @@
>
> /usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0)
>
> +ifdef(`distro_debian',`
> +/var/log/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
> +', `
> /var/account(/.*)? gen_context(system_u:object_r:acct_data_t,s0)
> +')
> +
> diff -ruw policy/modules/admin/alsa.fc /tmp/new-pol/modules/admin/alsa.fc
> --- policy/modules/admin/alsa.fc 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/alsa.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -1,9 +1,19 @@
> +
> +/etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
This leaves two copies of the above lines in the file.
> /bin/alsaunmute -- gen_context(system_u:object_r:alsa_exec_t,s0)
>
> +ifdef(`distro_debian', `
> +/var/lib/alsa/asound\.state gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa/alsa\.conf gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +/usr/share/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +', `
> /etc/alsa/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> /etc/alsa/pcm(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> /etc/asound(/.*)? gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> /etc/asound\.state -- gen_context(system_u:object_r:alsa_etc_rw_t,s0)
> +')
> +
>
> /sbin/alsactl -- gen_context(system_u:object_r:alsa_exec_t,s0)
> /sbin/salsa -- gen_context(system_u:object_r:alsa_exec_t,s0)
> diff -ruw policy/modules/admin/apt.fc /tmp/new-pol/modules/admin/apt.fc
> --- policy/modules/admin/apt.fc 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -12,5 +12,10 @@
> /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
> /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0)
>
> +# aptitude lock
> +/var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
> +# aptitude log
> +/var/log/aptitude gen_context(system_u:object_r:apt_var_log_t,s0)
> +
> # dpkg terminal log
> /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> diff -ruw policy/modules/admin/apt.if /tmp/new-pol/modules/admin/apt.if
> --- policy/modules/admin/apt.if 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.if 2008-09-29 20:15:54.000000000 +1000
> @@ -73,6 +73,25 @@
>
> ########################################
> ## <summary>
> +## Do not audit attempts to use file descriptors from apt.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process attempting performing this action
> +## which should not be audited.
> +## </summary>
> +## </param>
> +#
> +interface(`apt_dontaudit_use_fds',`
> + gen_require(`
> + type apt_t;
> + ')
> +
> + dontaudit $1 apt_t:fd use;
> +')
Unnecessary interface - see comment below where it's used.
> +
> +########################################
> +## <summary>
> ## Read from an unnamed apt pipe.
> ## </summary>
> ## <param name="domain">
> @@ -129,6 +148,27 @@
>
> ########################################
> ## <summary>
> +## Read the apt package cache.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## The type of the process performing this action.
> +## </summary>
> +## </param>
> +#
> +interface(`apt_read_cache',`
> + gen_require(`
> + type apt_var_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 apt_var_cache_t:dir list_dir_perms;
> + dontaudit $1 apt_var_cache_t:dir write;
> + allow $1 apt_var_cache_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Read the apt package database.
> ## </summary>
> ## <param name="domain">
> diff -ruw policy/modules/admin/apt.te /tmp/new-pol/modules/admin/apt.te
> --- policy/modules/admin/apt.te 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/apt.te 2008-09-29 20:15:54.000000000 +1000
> @@ -30,6 +30,11 @@
> type apt_var_cache_t alias var_cache_apt_t;
> files_type(apt_var_cache_t)
>
> +# aptitude lock file
> +type apt_lock_t;
> +files_lock_file(apt_lock_t)
> +
> +# aptitude log file
> type apt_var_log_t;
> logging_log_file(apt_var_log_t)
>
> @@ -53,6 +58,9 @@
> allow apt_t self:msgq create_msgq_perms;
> allow apt_t self:msg { send receive };
>
> +# Run update
> +allow apt_t self:netlink_route_socket r_netlink_socket_perms;
> +
> # Access /var/cache/apt files
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> files_var_filetrans(apt_t, apt_var_cache_t, dir)
> @@ -72,6 +80,14 @@
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
> files_var_lib_filetrans(apt_t, apt_var_lib_t, dir)
>
> +# lock files
> +allow apt_t apt_lock_t:dir manage_dir_perms;
> +allow apt_t apt_lock_t:file manage_file_perms;
> +files_lock_filetrans(apt_t, apt_lock_t, {dir file})
> +
> +# log files
> +allow apt_t apt_var_log_t:file manage_file_perms;
> +
> kernel_read_system_state(apt_t)
> kernel_read_kernel_sysctls(apt_t)
>
> @@ -114,9 +130,15 @@
> libs_exec_lib_files(apt_t)
>
> logging_send_syslog_msg(apt_t)
> +logging_log_filetrans(apt_t, apt_var_log_t, file)
>
> miscfiles_read_localization(apt_t)
>
> +# this is not particularly nice.
> +# maybe add a type for ~/.aptitude instead.
> +userdom_manage_all_users_home_content_files(apt_t)
> +userdom_manage_all_users_home_content_dirs(apt_t)
> +
> seutil_use_newrole_fds(apt_t)
>
> sysnet_read_config(apt_t)
> @@ -127,6 +149,10 @@
> #')
>
> optional_policy(`
> + pythonsupport_domtrans(apt_t)
> +')
This patch doesn't contain the pythonsupport_domtrans interface.
> +
> +optional_policy(`
> # dpkg interaction
> dpkg_read_db(apt_t)
> dpkg_domtrans(apt_t)
> diff -ruw policy/modules/admin/bootloader.fc /tmp/new-pol/modules/admin/bootloader.fc
> --- policy/modules/admin/bootloader.fc 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/bootloader.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -2,6 +2,15 @@
> /etc/lilo\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
> /etc/yaboot\.conf.* -- gen_context(system_u:object_r:bootloader_etc_t,s0)
>
> +
> +# Debian puts grub in /usr/sbin/grub
> +ifdef(`distro_debian',`
> +/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/etc/mkinitrd/scripts/.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/usr/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +/sbin/mkinitrd -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +',`
> /sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> +')
> /sbin/lilo.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> /sbin/ybin.* -- gen_context(system_u:object_r:bootloader_exec_t,s0)
> diff -ruw policy/modules/admin/dmesg.te /tmp/new-pol/modules/admin/dmesg.te
> --- policy/modules/admin/dmesg.te 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/dmesg.te 2008-09-29 20:15:54.000000000 +1000
> @@ -52,7 +52,9 @@
>
> userdom_dontaudit_use_unpriv_user_fds(dmesg_t)
>
> +optional_policy(`
> sysadm_use_terms(dmesg_t)
> +')
>
> optional_policy(`
> seutil_sigchld_newrole(dmesg_t)
> diff -ruw policy/modules/admin/dpkg.te /tmp/new-pol/modules/admin/dpkg.te
> --- policy/modules/admin/dpkg.te 2008-09-10 09:06:05.000000000 +1000
> +++ /tmp/new-pol/modules/admin/dpkg.te 2008-09-29 20:15:54.000000000 +1000
> @@ -67,6 +67,16 @@
> allow dpkg_t self:msgq create_msgq_perms;
> allow dpkg_t self:msg { send receive };
>
> +# This is for se_aptitude et al, so that maintainer scripts can talk back.
> +apt_use_fds(dpkg_script_t)
> +apt_rw_pipes(dpkg_script_t)
Already in an optional_policy block.
> +
> +# This is for the maintainer scripts
> +init_use_script_fds(dpkg_script_t)
> +
> +# se_apt-get needs this to run dpkg-preconfigure
> +init_use_script_ptys(dpkg_t)
Why are you pulling these out of their proper alphabetical order?
> +
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>
> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> @@ -150,7 +160,6 @@
> files_exec_etc_files(dpkg_t)
>
> init_domtrans_script(dpkg_t)
> -init_use_script_ptys(dpkg_t)
>
> libs_use_ld_so(dpkg_t)
> libs_use_shared_libs(dpkg_t)
> @@ -167,11 +176,15 @@
> sysnet_read_config(dpkg_t)
>
> userdom_use_unpriv_users_fds(dpkg_t)
> +allow userdomain dpkg_var_lib_t:dir list_dir_perms;
> +allow userdomain dpkg_var_lib_t:file read_file_perms;
Encapsulation violation: should use dpkg_read_db.
>
> # transition to dpkg script:
> dpkg_domtrans_script(dpkg_t)
> -# since the scripts aren't labeled correctly yet...
> +# since the scripts are not labeled correctly yet...
> allow dpkg_t dpkg_var_lib_t:file execute;
> +# This is used for running config files for debconf interactions
> +allow dpkg_t dpkg_tmp_t:file { execute execute_no_trans };
>
> optional_policy(`
> apt_use_ptys(dpkg_t)
> @@ -295,7 +308,6 @@
> auth_manage_all_files_except_shadow(dpkg_script_t)
>
> init_domtrans_script(dpkg_script_t)
> -init_use_script_fds(dpkg_script_t)
>
> libs_use_ld_so(dpkg_script_t)
> libs_use_shared_libs(dpkg_script_t)
> diff -ruw policy/modules/kernel/devices.fc /tmp/new-pol/modules/kernel/devices.fc
> --- policy/modules/kernel/devices.fc 2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/devices.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -1,5 +1,12 @@
>
> /dev -d gen_context(system_u:object_r:device_t,s0)
> +ifdef(`distro_debian',`
> +# this is a static /dev dir "backup mount"
> +# if you want to disable udev, you'll have to boot permissive and relabel!
> +/dev/\.static -d gen_context(system_u:object_r:device_t,s0)
> +/dev/\.static/dev -d gen_context(system_u:object_r:device_t,s0)
> +/dev/\.static/dev/(.*)? <<none>>
> +')
> /dev/.* gen_context(system_u:object_r:device_t,s0)
>
> /dev/.*mouse.* -c gen_context(system_u:object_r:mouse_device_t,s0)
> diff -ruw policy/modules/kernel/files.fc /tmp/new-pol/modules/kernel/files.fc
> --- policy/modules/kernel/files.fc 2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/files.fc 2008-09-29 20:15:54.000000000 +1000
> @@ -252,4 +252,7 @@
>
> ifdef(`distro_debian',`
> /var/run/motd -- gen_context(system_u:object_r:etc_runtime_t,s0)
> +# on Debian /lib/init/rw is a tmpfs used like /var/run but
> +# before /var is mounted
> +/lib/init/rw -d gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh)
> ')
> diff -ruw policy/modules/kernel/files.te /tmp/new-pol/modules/kernel/files.te
> --- policy/modules/kernel/files.te 2008-09-10 09:05:48.000000000 +1000
> +++ /tmp/new-pol/modules/kernel/files.te 2008-09-29 20:15:54.000000000 +1000
> @@ -174,6 +174,10 @@
> #
> type var_run_t;
> files_pid_file(var_run_t)
> +ifdef(`distro_debian', `
> +# for /lib/init/rw
> +typeattribute var_run_t mountpoint;
> +')
>
> #
> # var_spool_t is the type of /var/spool
> diff -ruw policy/modules/services/dcc.fc /tmp/new-pol/modules/services/dcc.fc
> --- policy/modules/services/dcc.fc 2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/dcc.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -5,13 +5,27 @@
> /usr/bin/cdcc -- gen_context(system_u:object_r:cdcc_exec_t,s0)
> /usr/bin/dccproc -- gen_context(system_u:object_r:dcc_client_exec_t,s0)
>
> +ifdef(`distro_redhat',`
> /usr/libexec/dcc/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
> /usr/libexec/dcc/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
> /usr/libexec/dcc/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
> /usr/libexec/dcc/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
> +')
> +ifdef(`distro_debian',`
> +/usr/sbin/dbclean -- gen_context(system_u:object_r:dcc_dbclean_exec_t,s0)
> +/usr/sbin/dccd -- gen_context(system_u:object_r:dccd_exec_t,s0)
> +/usr/sbin/dccifd -- gen_context(system_u:object_r:dccifd_exec_t,s0)
> +/usr/sbin/dccm -- gen_context(system_u:object_r:dccm_exec_t,s0)
> +')
>
> +ifdef(`distro_redhat',`
> /var/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
> /var/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
> +')
> +ifdef(`distro_debian',`
> +/var/lib/dcc(/.*)? gen_context(system_u:object_r:dcc_var_t,s0)
> +/var/lib/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
> +')
>
> /var/run/dcc(/.*)? gen_context(system_u:object_r:dcc_var_run_t,s0)
> /var/run/dcc/map -- gen_context(system_u:object_r:dcc_client_map_t,s0)
> diff -ruw policy/modules/services/ldap.fc /tmp/new-pol/modules/services/ldap.fc
> --- policy/modules/services/ldap.fc 2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/ldap.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -1,10 +1,11 @@
>
> /etc/ldap/slapd\.conf -- gen_context(system_u:object_r:slapd_etc_t,s0)
>
> -/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
> -
> +# Debian and Ubunto place slapd in a different location
> ifdef(`distro_debian',`
> /usr/lib/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
> +', `
> +/usr/sbin/slapd -- gen_context(system_u:object_r:slapd_exec_t,s0)
> ')
This is no longer correct: Debian now has /usr/sbin/slapd.
>
> /var/lib/ldap(/.*)? gen_context(system_u:object_r:slapd_db_t,s0)
> diff -ruw policy/modules/services/nagios.fc /tmp/new-pol/modules/services/nagios.fc
> --- policy/modules/services/nagios.fc 2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/nagios.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -11,6 +11,7 @@
> /var/log/netsaint(/.*)? gen_context(system_u:object_r:nagios_log_t,s0)
>
> ifdef(`distro_debian',`
> -/usr/sbin/nagios -- gen_context(system_u:object_r:nagios_exec_t,s0)
> -/usr/lib/cgi-bin/nagios/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
> +/usr/sbin/nagios.* -- gen_context(system_u:object_r:nagios_exec_t,s0)
> +/usr/lib/cgi-bin/nagios.?/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
> +/usr/lib/nagios3/cgi/.+ -- gen_context(system_u:object_r:nagios_cgi_exec_t,s0)
> ')
> diff -ruw policy/modules/services/portmap.fc /tmp/new-pol/modules/services/portmap.fc
> --- policy/modules/services/portmap.fc 2008-09-10 09:06:01.000000000 +1000
> +++ /tmp/new-pol/modules/services/portmap.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -4,6 +4,7 @@
> ifdef(`distro_debian',`
> /sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> /sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> +/var/run/portmap_mapping -- gen_context(system_u:object_r:portmap_var_run_t,s0)
> ', `
> /usr/sbin/pmap_dump -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> /usr/sbin/pmap_set -- gen_context(system_u:object_r:portmap_helper_exec_t,s0)
> diff -ruw policy/modules/services/ssh.te /tmp/new-pol/modules/services/ssh.te
> --- policy/modules/services/ssh.te 2008-09-27 15:27:05.000000000 +1000
> +++ /tmp/new-pol/modules/services/ssh.te 2008-09-29 20:16:09.000000000 +1000
> @@ -55,6 +55,11 @@
> init_ranged_daemon_domain(sshd_t,sshd_exec_t,s0 - mcs_systemhigh)
> ')
>
> +ifdef(`distro_debian', `
> +# for key blacklist related to openssl bug
> + allow sshd_t usr_t:file read_file_perms;
> +')
> +
> #################################
> #
> # sshd local policy
> diff -ruw policy/modules/system/init.fc /tmp/new-pol/modules/system/init.fc
> --- policy/modules/system/init.fc 2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/init.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -15,6 +15,10 @@
> /etc/vmware/init\.d/vmware -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /etc/x11/startDM\.sh -- gen_context(system_u:object_r:initrc_exec_t,s0)
> ')
> +ifdef(`distro_debian',`
> +/var/run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +/var/run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0)
> +')
>
> #
> # /dev
> diff -ruw policy/modules/system/libraries.te /tmp/new-pol/modules/system/libraries.te
> --- policy/modules/system/libraries.te 2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/libraries.te 2008-09-29 20:16:09.000000000 +1000
> @@ -90,6 +90,11 @@
>
> userdom_use_all_users_fds(ldconfig_t)
>
> +optional_policy(`
> + # This is needed for apt to get and install packages silently
> + apt_dontaudit_use_fds(ldconfig_t)
> +')
We already have apt_use_fds(ldconfig_t)
> +
> ifdef(`distro_ubuntu',`
> optional_policy(`
> unconfined_domain(ldconfig_t)
> diff -ruw policy/modules/system/sysnetwork.fc /tmp/new-pol/modules/system/sysnetwork.fc
> --- policy/modules/system/sysnetwork.fc 2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/sysnetwork.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -22,6 +22,9 @@
> /etc/sysconfig/networking/profiles/.*/resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
> ')
>
> +ifdef(`distro_debian', `
> +/dev/shm/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
> +')
> #
> # /sbin
> #
> diff -ruw policy/modules/system/udev.fc /tmp/new-pol/modules/system/udev.fc
> --- policy/modules/system/udev.fc 2008-09-10 09:06:03.000000000 +1000
> +++ /tmp/new-pol/modules/system/udev.fc 2008-09-29 20:16:09.000000000 +1000
> @@ -10,7 +10,11 @@
>
> /etc/udev/scripts/.+ -- gen_context(system_u:object_r:udev_helper_exec_t,s0)
>
> +ifdef(`distro_debian', `
> +/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
> +', `
> /sbin/start_udev -- gen_context(system_u:object_r:udev_exec_t,s0)
> +')
> /sbin/udev -- gen_context(system_u:object_r:udev_exec_t,s0)
> /sbin/udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /sbin/udevsend -- gen_context(system_u:object_r:udev_exec_t,s0)
--
Martin Orr