Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/mount.te | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
index 459a0ef..ea1016d 100644
--- a/policy/modules/system/mount.te
+++ b/policy/modules/system/mount.te
@@ -107,7 +107,6 @@ fs_mount_all_fs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
-fs_list_auto_mountpoints(mount_t)
fs_rw_tmpfs_chr_files(mount_t)
fs_read_tmpfs_symlinks(mount_t)
fs_dontaudit_write_tmpfs_dirs(mount_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..374ac00 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -30,7 +30,6 @@ ifdef(`distro_redhat',`
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/userdomain.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..06d8db1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
########################################
## <summary>
+## Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
## Read user tmpfs files.
## </summary>
## <param name="domain">
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f..183e45d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -184,6 +184,7 @@ ifdef(`distro_debian',`
avahi_create_pid_dirs(udev_t)
avahi_initrc_domtrans(udev_t)
avahi_manage_pid_files(udev_t)
+ avahi_setattr_pid_dirs(udev_t)
avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
')
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/authlogin.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..367e920 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)
+dev_search_sysfs(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/setrans.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..8e1e27d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
+kernel_read_system_state(setrans_t)
# allow performing getpidcon() on all processes
domain_read_all_domains_state(setrans_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/setrans.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 8e1e27d..48aefa2 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
mls_process_read_up(setrans_t)
mls_socket_read_all_levels(setrans_t)
+selinux_getattr_fs(setrans_t)
selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/fstools.te | 5 +++++
policy/modules/system/hostname.te | 4 ++++
policy/modules/system/sysnetwork.te | 4 ++++
3 files changed, 13 insertions(+)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d30..b40e06f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
userdom_use_user_terminals(fsadm_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(fsadm_t)
+')
+
+
ifdef(`distro_redhat',`
optional_policy(`
unconfined_domain(fsadm_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..d5d4a1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(hostname_t)
+')
+
optional_policy(`
nis_use_ypbind(hostname_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..999e142 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(ifconfig_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
--
1.8.3.1
These named file transitions make sure that these devices get created
with the proper types
This list is probably far from comprehensive because i only added the
ones i was able to confirm on my virtual machine
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/corenetwork.if.in | 25 ++++++
policy/modules/kernel/devices.if | 146 +++++++++++++++++++++++++++++++-
policy/modules/kernel/kernel.te | 42 +++++++++
policy/modules/kernel/terminal.if | 50 +++++++++++
policy/modules/system/udev.te | 4 +
5 files changed, 266 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 07126bd..7158d4a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1993,6 +1993,31 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
+## Create TUN/TAP virtual network devices
+## in /dev with the tun tap type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`corenet_dev_filetrans_tun_tap',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_filetrans($1, tun_tap_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..147170a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1803,7 +1803,7 @@ interface(`dev_rw_crypto',`
#
interface(`dev_setattr_dlm_control',`
gen_require(`
- type device_t, kvm_device_t;
+ type device_t, dlm_control_device_t;
')
setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
@@ -2017,6 +2017,30 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
+## Automatic type transition to the type
+## for input device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
@@ -2340,6 +2364,30 @@ interface(`dev_rw_kvm',`
rw_chr_files_pattern($1, device_t, kvm_device_t)
')
+########################################
+## <summary>
+## Automatic type transition to the type
+## for kvm device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, $2)
+')
+
######################################
## <summary>
## Read the lirc device.
@@ -2883,6 +2931,30 @@ interface(`dev_rw_mouse',`
########################################
## <summary>
+## Automatic type transition to the type
+## for mouse device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the memory type range
## registers (MTRR) device.
## </summary>
@@ -3691,6 +3763,30 @@ interface(`dev_write_sound_mixer',`
########################################
## <summary>
+## Automatic type transition to the type
+## for sound mixer device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the the power management device.
## </summary>
## <param name="domain">
@@ -4203,6 +4299,30 @@ interface(`dev_relabel_generic_usb_dev',`
########################################
## <summary>
+## Automatic type transition to the type
+## for usb device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_usb',`
+ gen_require(`
+ type device_t, usb_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
@@ -4648,6 +4768,30 @@ interface(`dev_rw_wireless',`
########################################
## <summary>
+## Automatic type transition to the type
+## for wireless device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_wireless',`
+ gen_require(`
+ type device_t, wireless_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..dd1e7e7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -285,6 +285,48 @@ mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+ifdef(`distro_debian',`
+ dev_filetrans_input(kernel_t, "event0")
+ dev_filetrans_input(kernel_t, "event1")
+ dev_filetrans_input(kernel_t, "event2")
+ dev_filetrans_input(kernel_t, "event3")
+ dev_filetrans_input(kernel_t, "event4")
+ dev_filetrans_input(kernel_t, "event5")
+ dev_filetrans_kvm(kernel_t, "kvm")
+ dev_filetrans_mouse(kernel_t, "js0")
+ dev_filetrans_mouse(kernel_t, "js1")
+ dev_filetrans_mouse(kernel_t, "mouse0")
+ dev_filetrans_mouse(kernel_t, "mouse1")
+ dev_filetrans_mouse(kernel_t, "mouse2")
+ dev_filetrans_sound_mixer(kernel_t, "controlC0")
+ dev_filetrans_sound_mixer(kernel_t, "hwC0D0")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0c")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0p")
+ dev_filetrans_usb(kernel_t, "001")
+ dev_filetrans_usb(kernel_t, "002")
+ dev_filetrans_wireless(kernel_t, "rfkill")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs7")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa7")
+
+ term_dev_filetrans_virtio_console(kernel_t, "vport1p1")
+')
+
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..c08b093 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1245,6 +1245,31 @@ interface(`term_use_unallocated_ttys',`
########################################
## <summary>
+## Create unallocated tty devices in /dev
+## with the unallocated tty type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_filetrans($1, tty_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write unallocated ttys.
## </summary>
@@ -1531,3 +1556,28 @@ interface(`term_use_virtio_console',`
dev_list_all_dev_nodes($1)
allow $1 virtio_device_t:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Create virtio console devices in /dev
+## with the virtio console type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ dev_filetrans($1, virtio_device_t, chr_file, $2)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 183e45d..47bfc33 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,8 +174,12 @@ sysnet_etc_filetrans_config(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
+ corenet_dev_filetrans_tun_tap(udev_t, "tun")
+
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
+ storage_dev_filetrans_fixed_disk(udev_t, "loop0")
+
optional_policy(`
# for /usr/lib/avahi/avahi-daemon-check-dns.sh
kernel_read_vm_sysctls(udev_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 374ac00..dd1a887 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
+/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 47bfc33..f6ee5ae 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
+modutils_read_module_config(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/lvm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..d379ef3 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(lvm_t)
+dev_rw_sysfs(lvm_t)
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/fstools.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b40e06f..6f9fde9 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -171,6 +171,11 @@ optional_policy(`
')
optional_policy(`
+ devicekit_read_pid_files(fsadm_t)
+ devicekit_append_inherited_log_files(fsadm_t)
+')
+
+optional_policy(`
hal_dontaudit_write_log(fsadm_t)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/sysnetwork.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 999e142..a2b9820 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -201,6 +201,13 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_manage_lib_files(dhcpc_t)
+ networkmanager_stream_connect(dhcpc_t)
+')
+
+optional_policy(`
nis_read_ypbind_pid(dhcpc_t)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/iptables.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..63eb287 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -105,6 +106,11 @@ optional_policy(`
')
optional_policy(`
+ firewalld_read_config_files(iptables_t)
+ firewalld_dontaudit_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
firstboot_use_fds(iptables_t)
firstboot_rw_pipes(iptables_t)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 79a45f6..bc49474 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -67,7 +67,8 @@ interface(`init_script_file',`
interface(`init_script_domain',`
gen_require(`
attribute init_script_domain_type, init_script_file_type;
- attribute init_run_all_scripts_domain;
+ attribute init_run_all_scripts_domain, direct_init, direct_init_entry;
+ attribute direct_run_init;
')
typeattribute $1 init_script_domain_type;
@@ -77,6 +78,16 @@ interface(`init_script_domain',`
domain_entry_file($1, $2)
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+
+ ifdef(`direct_sysadm_daemon',`
+ domtrans_pattern(direct_run_init, $2, $1)
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+
+ userdom_dontaudit_use_user_terminals($1)
+ ')
')
########################################
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/admin/usermanage.fc | 4 ++++
policy/modules/admin/usermanage.te | 3 +++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..4b7737e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
')
+ifdef(`distro_debian',`
+/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
+')
+
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..471d4a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
userdom_dontaudit_search_user_home_dirs(crack_t)
ifdef(`distro_debian',`
+ allow crack_t self:process getsched;
# the package cracklib-runtime on Debian contains a daily maintenance
# script /etc/cron.daily/cracklib-runtime, that calls
# update-cracklib and that calls crack_mkdict, which is a shell script.
corecmd_exec_shell(crack_t)
+ dev_search_sysfs(crack_t)
+ miscfiles_read_localization(crack_t)
')
optional_policy(`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902d..28a2188 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(unconfined_t, unconfined_r)
+ ')
+',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ ')
+ ')
')
optional_policy(`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/users | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
#
# The following users correspond to Unix identities.
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index bc49474..9bce838 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,6 +998,8 @@ interface(`init_run_daemon',`
')
typeattribute $1 direct_run_init;
+
+ allow $2 system_r;
role_transition $2 direct_init_entry system_r;
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a2b9820..5857838 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -219,6 +219,7 @@ optional_policy(`
optional_policy(`
ntp_initrc_domtrans(dhcpc_t)
+ ntp_read_drift_files(dhcpc_t)
')
optional_policy(`
--
1.8.3.1
This was discussed on the maillist. It was decided to make this part of
the user domain since Python also uses local_home_t
This is part of implementation of X Desktop Group specification support
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/userdomain.fc | 1 +
policy/modules/system/userdomain.if | 190 ++++++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 3 +
3 files changed, 175 insertions(+), 19 deletions(-)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..ec5c90a 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,5 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:local_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 06d8db1..189f786 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -147,7 +147,7 @@ template(`userdom_base_user_template',`
#
interface(`userdom_ro_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')
##############################
@@ -159,12 +159,12 @@ interface(`userdom_ro_home_role',`
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
- allow $2 user_home_t:dir list_dir_perms;
- allow $2 user_home_t:file entrypoint;
- read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:dir list_dir_perms;
+ allow $2 ( local_home_t user_home_t }:file entrypoint;
+ read_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_lnk_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_fifo_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_sock_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
@@ -218,7 +218,7 @@ interface(`userdom_ro_home_role',`
#
interface(`userdom_manage_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')
##############################
@@ -229,18 +229,19 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
- allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:file entrypoint;
+ manage_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ filetrans_pattern($2, user_home_t, local_home_t, dir, ".local")
files_list_home($2)
# cjp: this should probably be removed:
@@ -2200,6 +2201,157 @@ interface(`userdom_manage_user_home_content_sockets',`
########################################
## <summary>
+## Create generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_generic_local_home_dirs',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ allow $1 local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir list_dir_perms;
+ allow $1 local_home_t:file read_file_perms;
+ allow $1 local_home_t:fifo_file read_fifo_file_perms;
+ allow $1 local_home_t:lnk_file read_lnk_file_perms;
+ allow $1 local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir manage_dir_perms;
+ allow $1 local_home_t:file manage_file_perms;
+ allow $1 local_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 local_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_generic_local_home',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## local home directories with an automatic
+## type transition to a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_local_home_filetrans',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ filetrans_pattern($1, local_home_t, $2, $3, $4)
+ userdom_search_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic user
+## home content directories with an automatic
+## type transition to the generic local
+## home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_content_filetrans_local_home',`
+ gen_require(`
+ type user_home_t, local_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f4ac38d..d657ea7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -58,6 +58,9 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
+type local_home_t;
+userdom_user_home_content(local_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..c74ba1f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 6 ++++++
policy/users | 7 -------
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 28a2188..4e4a4c5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
diff --git a/policy/users b/policy/users
index 5db8cf4..25402af 100644
--- a/policy/users
+++ b/policy/users
@@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-# Until order dependence is fixed for users:
-ifdef(`direct_sysadm_daemon',`
- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
-
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..5de913e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -179,6 +179,11 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+ifdef(`distro_debian',`
+fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+')
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/libraries.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..d9408e6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -117,6 +117,10 @@ ifdef(`distro_redhat',`
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ifdef(`distro_debian',`
+/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
+')
+
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5de913e..4691035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -180,7 +180,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_debian',`
-fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')
@@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
userdom_use_user_terminals(initrc_t)
ifdef(`distro_debian',`
+ kernel_getattr_core_if(initrc_t)
+
+ dev_getattr_generic_blk_files(initrc_t)
dev_setattr_generic_dirs(initrc_t)
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4691035..7f8797a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -450,6 +450,10 @@ ifdef(`distro_debian',`
storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
+
+ optional_policy(`
+ exim_manage_var_lib_files(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7f8797a..cd97c98 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -454,6 +454,14 @@ ifdef(`distro_debian',`
optional_policy(`
exim_manage_var_lib_files(initrc_t)
')
+
+ optional_policy(`
+ gdomap_read_config(initrc_t)
+ ')
+
+ optional_policy(`
+ minissdpd_read_config(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index dd1a887..0b4df21 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -12,6 +12,7 @@
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
ifdef(`distro_debian',`
+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9bce838..dc9f92b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -77,6 +77,8 @@ interface(`init_script_domain',`
domain_type($1)
domain_entry_file($1, $2)
+ role system_r types $1;
+
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
ifdef(`direct_sysadm_daemon',`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/setrans.te | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..d7559d8 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
type sshd_key_t;
files_type(sshd_key_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 48aefa2..dcd7c62 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -20,6 +20,10 @@ type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(setrans_var_run_t, "setrans")
+')
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/kernel.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index dd1e7e7..d7a9b47 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_request_load_module(kernel_t)
+
# Allow unlabeled network traffic
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
--
1.8.3.1
1. device_t type was used but not required
2. the interface name suggest all dev files and that includes device_t
chr/blk files as well. If the interface name would say all_dev_nodes
then it would have been a different story
In debian kernel needs to set attributes of generic device_t blk files
(/dev/dm-.*) Some how theyre created with generic device_t
In debian kernel needs to create, and set attributes of atleast the chr
files that i added named file transtion rules for but i added
permissions to kernel to create and set attributes of any chr file in
/dev ( that includes generic device_t type chr files
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/kernel/devices.if | 12 ++++++++----
policy/modules/kernel/kernel.te | 4 ++++
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 147170a..afcc522 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
interface(`dev_setattr_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- setattr_blk_files_pattern($1, device_t, device_node)
+ setattr_blk_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
interface(`dev_setattr_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- setattr_chr_files_pattern($1, device_t, device_node)
+ setattr_chr_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
interface(`dev_create_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- create_blk_files_pattern($1, device_t, device_node)
+ create_blk_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
interface(`dev_create_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- create_chr_files_pattern($1, device_t, device_node)
+ create_chr_files_pattern($1, device_t, { device_node device_t })
')
########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d7a9b47..b9d6a3a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
ifdef(`distro_debian',`
+ dev_create_all_chr_files(kernel_t)
+ dev_setattr_all_blk_files(kernel_t)
+ dev_setattr_all_chr_files(kernel_t)
+
dev_filetrans_input(kernel_t, "event0")
dev_filetrans_input(kernel_t, "event1")
dev_filetrans_input(kernel_t, "event2")
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..5fd339b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
')
+
+ optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6d77e81..acc9ff7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
')
+
+ optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 189f786..dc03698 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
gnome_role_template($1, $1_r, $1_t)
wm_role_template($1, $1_r, $1_t)
')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_t)
+ ')
')
optional_policy(`
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/init.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd97c98..95f2284 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
+
+allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..a7faaad 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -301,7 +301,7 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
--
1.8.3.1
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/services/xserver.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a7faaad..2ae8acb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
-ifndef(`distro_redhat',`
- allow xserver_t self:process { execmem execheap execstack };
- domain_mmap_low_uncond(xserver_t)
-')
+# ifndef(`distro_redhat',`
+# allow xserver_t self:process { execmem execheap execstack };
+# domain_mmap_low_uncond(xserver_t)
+# ')
ifdef(`distro_rhel4',`
allow xserver_t self:process { execmem execheap execstack };
--
1.8.3.1
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <[email protected]>
---
policy/modules/system/unconfined.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 4e4a4c5..bb1696d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -198,10 +198,6 @@ optional_policy(`
wine_domtrans(unconfined_t)
')
-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
########################################
#
# Unconfined Execmem Local policy
--
1.8.3.1
I also experience this problem when I reconnect my mouse, so it isn't
debian-specific. I'm not a SELinux expert, but this patch looks like a
workaround to me, not like a real fix. It's also a bit limited: For
example, on my system, there are more event devices than event0 -
event5 (atm, the mouse in question is at event9).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131110/b099aaa6/attachment.bin
On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
> I also experience this problem when I reconnect my mouse, so it isn't
> debian-specific. I'm not a SELinux expert, but this patch looks like a
> workaround to me, not like a real fix. It's also a bit limited: For
> example, on my system, there are more event devices than event0 -
> event5 (atm, the mouse in question is at event9).
I consider this to be a )possible) starting point
I do not think we should add named file type transitions for every
conceivable object in /dev like i think Fedora does
Only the ones that are actually confirmed. but yes this should probably
not be distro specific.
Consider this patch a [RFC]
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/10/2013 03:58 PM, Dominick Grift wrote:
> On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
>> I also experience this problem when I reconnect my mouse, so it isn't
>> debian-specific. I'm not a SELinux expert, but this patch looks like a
>> workaround to me, not like a real fix. It's also a bit limited: For
>> example, on my system, there are more event devices than event0 - event5
>> (atm, the mouse in question is at event9).
>
> I consider this to be a )possible) starting point
>
> I do not think we should add named file type transitions for every
> conceivable object in /dev like i think Fedora does
>
> Only the ones that are actually confirmed. but yes this should probably not
> be distro specific.
>
> Consider this patch a [RFC]
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
The ones we have added in Fedora have been confirmed. We just round up to
the next 10 when they happen. We add them when we see bug reports for
mislabeled devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKA5/UACgkQrlYvE4MpobMamgCgtKW39NzDr358RVqy+VqKD7yG
/y4An0sAzsWITVqxZPMBaRL3Vhs/5nRb
=9UaC
-----END PGP SIGNATURE-----
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/mount.te | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 459a0ef..ea1016d 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -107,7 +107,6 @@ fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> fs_rw_tmpfs_chr_files(mount_t)
> fs_read_tmpfs_symlinks(mount_t)
> fs_dontaudit_write_tmpfs_dirs(mount_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.fc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index f41857e..374ac00 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -30,7 +30,6 @@ ifdef(`distro_redhat',`
>
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 39f185f..183e45d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -184,6 +184,7 @@ ifdef(`distro_debian',`
> avahi_create_pid_dirs(udev_t)
> avahi_initrc_domtrans(udev_t)
> avahi_manage_pid_files(udev_t)
> + avahi_setattr_pid_dirs(udev_t)
> avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
> ')
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/authlogin.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 09b791d..367e920 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> dev_read_urand(chkpwd_t)
> +dev_search_sysfs(chkpwd_t)
>
> files_read_etc_files(chkpwd_t)
> # for nscd
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/setrans.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 1447687..8e1e27d 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
> files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
>
> kernel_read_kernel_sysctls(setrans_t)
> -kernel_read_proc_symlinks(setrans_t)
> +kernel_read_system_state(setrans_t)
>
> # allow performing getpidcon() on all processes
> domain_read_all_domains_state(setrans_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 47bfc33..f6ee5ae 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
> miscfiles_read_hwdata(udev_t)
>
> modutils_domtrans_insmod(udev_t)
> +modutils_read_module_config(udev_t)
> # read modules.inputmap:
> modutils_read_module_deps(udev_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/fstools.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index b40e06f..6f9fde9 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -171,6 +171,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_read_pid_files(fsadm_t)
> + devicekit_append_inherited_log_files(fsadm_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_write_log(fsadm_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 7 +++++++
> 1 file changed, 7 insertions(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index 999e142..a2b9820 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -201,6 +201,13 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_domtrans(dhcpc_t)
> + networkmanager_read_pid_files(dhcpc_t)
> + networkmanager_manage_lib_files(dhcpc_t)
> + networkmanager_stream_connect(dhcpc_t)
> +')
> +
> +optional_policy(`
> nis_read_ypbind_pid(dhcpc_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a2b9820..5857838 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -219,6 +219,7 @@ optional_policy(`
>
> optional_policy(`
> ntp_initrc_domtrans(dhcpc_t)
> + ntp_read_drift_files(dhcpc_t)
> ')
>
> optional_policy(`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/ssh.te | 4 ++++
> policy/modules/system/setrans.te | 4 ++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index cc877c7..d7559d8 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
> ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(sshd_var_run_t, "sshd")
> +')
> +
> type sshd_key_t;
> files_type(sshd_key_t)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 48aefa2..dcd7c62 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -20,6 +20,10 @@ type setrans_var_run_t;
> files_pid_file(setrans_var_run_t)
> mls_trusted_object(setrans_var_run_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(setrans_var_run_t, "setrans")
> +')
> +
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/kernel.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index dd1e7e7..d7a9b47 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_request_load_module(kernel_t)
> +
> # Allow unlabeled network traffic
> allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> corenet_in_generic_if(unlabeled_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8b40377..a7faaad 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -301,7 +301,7 @@ optional_policy(`
> #
>
> allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
> -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
> +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
> allow xdm_t self:fifo_file rw_fifo_file_perms;
> allow xdm_t self:shm create_shm_perms;
> allow xdm_t self:sem create_sem_perms;
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> It would not be sufficient in the current shape anyways because
> unconfined_r is not associated with xserver_t
>
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 4e4a4c5..bb1696d 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -198,10 +198,6 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
> -optional_policy(`
> - xserver_domtrans(unconfined_t)
> -')
> -
> ########################################
> #
> # Unconfined Execmem Local policy
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/userdomain.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9dc60c6..06d8db1 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
>
> ########################################
> ## <summary>
> +## Delete user tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_tmpfs_files',`
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
> + fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read user tmpfs files.
> ## </summary>
> ## <param name="domain">
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/setrans.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 8e1e27d..48aefa2 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
> mls_process_read_up(setrans_t)
> mls_socket_read_all_levels(setrans_t)
>
> +selinux_getattr_fs(setrans_t)
> selinux_compute_access_vector(setrans_t)
>
> term_dontaudit_use_generic_ptys(setrans_t)
Instead of merging this, I replaced the seutil_read_config() with seutil_libselinux_linked(). It has the above access that you wanted to add.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
Merged, with a whitespace fix.
> ---
> policy/modules/system/fstools.te | 5 +++++
> policy/modules/system/hostname.te | 4 ++++
> policy/modules/system/sysnetwork.te | 4 ++++
> 3 files changed, 13 insertions(+)
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 3f48d30..b40e06f 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
>
> userdom_use_user_terminals(fsadm_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(fsadm_t)
> +')
> +
> +
> ifdef(`distro_redhat',`
> optional_policy(`
> unconfined_domain(fsadm_t)
> diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
> index 24a7889..d5d4a1c 100644
> --- a/policy/modules/system/hostname.te
> +++ b/policy/modules/system/hostname.te
> @@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
> sysnet_read_config(hostname_t)
> sysnet_dns_name_resolve(hostname_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(hostname_t)
> +')
> +
> optional_policy(`
> nis_use_ypbind(hostname_t)
> ')
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a392fc4..999e142 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
> userdom_use_user_terminals(ifconfig_t)
> userdom_use_all_users_fds(ifconfig_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(ifconfig_t)
> +')
> +
> ifdef(`distro_ubuntu',`
> optional_policy(`
> unconfined_domain(ifconfig_t)
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/udev.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 374ac00..dd1a887 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> +/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/lvm.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 79048c4..d379ef3 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
> dev_relabel_generic_dev_dirs(lvm_t)
> dev_manage_generic_blk_files(lvm_t)
> # Read /sys/block. Device mapper metadata is kept there.
> -dev_read_sysfs(lvm_t)
> +dev_rw_sysfs(lvm_t)
> # cjp: this has no effect since LVM does not
> # have lnk_file relabelto for anything else.
> # perhaps this should be blk_files?
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index a7faaad..2ae8acb 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
>
> xserver_use_user_fonts(xserver_t)
>
> -ifndef(`distro_redhat',`
> - allow xserver_t self:process { execmem execheap execstack };
> - domain_mmap_low_uncond(xserver_t)
> -')
> +# ifndef(`distro_redhat',`
> +# allow xserver_t self:process { execmem execheap execstack };
> +# domain_mmap_low_uncond(xserver_t)
> +# ')
>
> ifdef(`distro_rhel4',`
> allow xserver_t self:process { execmem execheap execstack };
>
I suspect this can be removed, not just commented out. Sven, can you confirm on Gentoo?
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2013 09:21 AM, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <[email protected]> ---
>> policy/modules/services/xserver.te | 8 ++++---- 1 file changed, 4
>> insertions(+), 4 deletions(-)
>>
>> diff --git a/policy/modules/services/xserver.te
>> b/policy/modules/services/xserver.te index a7faaad..2ae8acb 100644 ---
>> a/policy/modules/services/xserver.te +++
>> b/policy/modules/services/xserver.te @@ -741,10 +741,10 @@
>> userdom_rw_user_tmpfs_files(xserver_t)
>>
>> xserver_use_user_fonts(xserver_t)
>>
>> -ifndef(`distro_redhat',` - allow xserver_t self:process { execmem
>> execheap execstack }; - domain_mmap_low_uncond(xserver_t) -') +#
>> ifndef(`distro_redhat',` +# allow xserver_t self:process { execmem
>> execheap execstack }; +# domain_mmap_low_uncond(xserver_t) +# ')
>>
>> ifdef(`distro_rhel4',` allow xserver_t self:process { execmem execheap
>> execstack };
>>
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
Yes just remove it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKgjKEACgkQrlYvE4MpobMu3gCfTnyROmzZDASGXSFwLRShAh+M
ulAAn30rmZ8uS+vMFVVADisay/CnTfh9
=rxIQ
-----END PGP SIGNATURE-----
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 6 ++++++
> policy/users | 7 -------
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 28a2188..4e4a4c5 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> optional_policy(`
> unconfined_dbus_chat(unconfined_execmem_t)
> ')
> +
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
> diff --git a/policy/users b/policy/users
> index 5db8cf4..25402af 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> -# Until order dependence is fixed for users:
> -ifdef(`direct_sysadm_daemon',`
> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -',`
> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -')
> -
> #
> # The following users correspond to Unix identities.
> # These identities are typically assigned as the user attribute
I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/services/xserver.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 8274418..c74ba1f 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/system/unconfined.te | 6 ++++++
> > policy/users | 7 -------
> > 2 files changed, 6 insertions(+), 7 deletions(-)
> >
> > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> > index 28a2188..4e4a4c5 100644
> > --- a/policy/modules/system/unconfined.te
> > +++ b/policy/modules/system/unconfined.te
> > @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> > optional_policy(`
> > unconfined_dbus_chat(unconfined_execmem_t)
> > ')
> > +
> > +ifdef(`direct_sysadm_daemon',`
> > + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +',`
> > + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +')
> > diff --git a/policy/users b/policy/users
> > index 5db8cf4..25402af 100644
> > --- a/policy/users
> > +++ b/policy/users
> > @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> > gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > -# Until order dependence is fixed for users:
> > -ifdef(`direct_sysadm_daemon',`
> > - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -',`
> > - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -')
> > -
> > #
> > # The following users correspond to Unix identities.
> > # These identities are typically assigned as the user attribute
>
> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>
> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>
Ouch, i seem to not have tested that. i should follow my own advice.
problem is monolithic builts take so long. Atleast with modular you can
cheat by skipping the assertion checking (although i should not do that
either)
Do you think this error might be related to that?
> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
> typeattribute user_t domain;
> #line 13
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/unconfined.te | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 5fe902d..28a2188 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)
>
> userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
>
> -ifdef(`distro_gentoo',`
> - seutil_run_runinit(unconfined_t, unconfined_r)
> - seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> +ifdef(`direct_sysadm_daemon',`
> + optional_policy(`
> + init_run_daemon(unconfined_t, unconfined_r)
> + ')
> +',`
> + ifdef(`distro_gentoo',`
> + optional_policy(`
> + seutil_run_runinit(unconfined_t, unconfined_r)
> + seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> + ')
> + ')
> ')
I get an error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
#line 52
role_transition unconfined_r direct_init_entry system_r;
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.29] Error 1
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/services/xserver.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> > index 8274418..c74ba1f 100644
> > --- a/policy/modules/services/xserver.fc
> > +++ b/policy/modules/services/xserver.fc
> > @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> >
> > #
>
> Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.
>
I can't tell, both xdm_t as well as xauth_t are currently allowed to
create files in user home directories with the xauth_home_t type
Does it make sense for a efficiency/security standpoint to create new
type for this?
Anyways if you want a new type for this then drop this patch for now
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2013 08:56 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <[email protected]> ---
>>> policy/modules/services/xserver.fc | 1 + 1 file changed, 1
>>> insertion(+)
>>>
>>> diff --git a/policy/modules/services/xserver.fc
>>> b/policy/modules/services/xserver.fc index 8274418..c74ba1f 100644 ---
>>> a/policy/modules/services/xserver.fc +++
>>> b/policy/modules/services/xserver.fc @@ -9,6 +9,7 @@
>>> HOME_DIR/\.ICEauthority.* --
>>> gen_context(system_u:object_r:iceauth_home_t,s0)
>>> HOME_DIR/\.serverauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.*
>>> -- gen_context(system_u:object_r:xauth_home_t,s0)
>>> +HOME_DIR/\.xsession-errors.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0)
>>>
>>> #
>>
>> Does xauth create this log? If xdm does, then it makes more sense to
>> have an xdm derived type. Otherwise I don't see why this shouldn't be
>> user_home_t.
>>
>
> I can't tell, both xdm_t as well as xauth_t are currently allowed to create
> files in user home directories with the xauth_home_t type
>
> Does it make sense for a efficiency/security standpoint to create new type
> for this?
>
> Anyways if you want a new type for this then drop this patch for now
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
In fedora we have xdm_home_t.
matchpathcon ~/.xsession-errors
/home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKh2EQACgkQrlYvE4MpobOFPgCggrH02jfz/XJD+/EGifWNQqgX
5AIAnRDmx9AEzxw2glJ7lU+rrvTQZrAZ
=iKvZ
-----END PGP SIGNATURE-----
On 12/06/13 08:49, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <[email protected]>
>>> ---
>>> policy/modules/system/unconfined.te | 6 ++++++
>>> policy/users | 7 -------
>>> 2 files changed, 6 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 28a2188..4e4a4c5 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
>>> optional_policy(`
>>> unconfined_dbus_chat(unconfined_execmem_t)
>>> ')
>>> +
>>> +ifdef(`direct_sysadm_daemon',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +')
>>> diff --git a/policy/users b/policy/users
>>> index 5db8cf4..25402af 100644
>>> --- a/policy/users
>>> +++ b/policy/users
>>> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
>>> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
>>> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>>
>>> -# Until order dependence is fixed for users:
>>> -ifdef(`direct_sysadm_daemon',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -')
>>> -
>>> #
>>> # The following users correspond to Unix identities.
>>> # These identities are typically assigned as the user attribute
>>
>> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>>
>> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>>
>
> Ouch, i seem to not have tested that. i should follow my own advice.
> problem is monolithic builts take so long. Atleast with modular you can
> cheat by skipping the assertion checking (although i should not do that
> either)
>
> Do you think this error might be related to that?
It could be, but a further inspection of the policy.conf would be required, since the error message by itself isn't very helpful.
>> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
>> typeattribute user_t domain;
>> #line 13
>> checkpolicy: error(s) encountered while parsing configuration
>> make: *** [policy.29] Error 1
>>
>
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/users | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/policy/users b/policy/users
> index c4ebc7e..5db8cf4 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> # Until order dependence is fixed for users:
> -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
>
> #
> # The following users correspond to Unix identities.
Skipping this for now since the corresponding other change in unconfined has that transition conflict.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:
> In fedora we have xdm_home_t.
>
> matchpathcon ~/.xsession-errors
> /home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0
>
>
Thanks, yes i know, the question i have is, is it worth it to create a
private type for this.
On Fri, 2013-12-06 at 08:50 -0500, Christopher J. PeBenito wrote:
> I get an error:
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
> #line 52
> role_transition unconfined_r direct_init_entry system_r;
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>
>
Monolithic i assume. Because i did not see this in modular builts.
This can probably be easily fixed though
What is more important to me right now is to know that you are not
opposed to the idea of making direct_sysadm_daemon apply to unconfined_t
in general.
I am sorry though about all these built errors i should have tested it
more thoroughly...
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/admin/usermanage.fc | 4 ++++
> policy/modules/admin/usermanage.te | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
> index f82f0ce..4b7737e 100644
> --- a/policy/modules/admin/usermanage.fc
> +++ b/policy/modules/admin/usermanage.fc
> @@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
> /bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
> ')
>
> +ifdef(`distro_debian',`
> +/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
> +')
> +
> /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
> /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
> /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1d732f1..471d4a7 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
> userdom_dontaudit_search_user_home_dirs(crack_t)
>
> ifdef(`distro_debian',`
> + allow crack_t self:process getsched;
> # the package cracklib-runtime on Debian contains a daily maintenance
> # script /etc/cron.daily/cracklib-runtime, that calls
> # update-cracklib and that calls crack_mkdict, which is a shell script.
> corecmd_exec_shell(crack_t)
> + dev_search_sysfs(crack_t)
> + miscfiles_read_localization(crack_t)
> ')
>
> optional_policy(`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/iptables.te | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index be8ed1e..63eb287 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
> allow iptables_t iptables_tmp_t:file manage_file_perms;
> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>
> +kernel_getattr_proc(iptables_t)
> kernel_request_load_module(iptables_t)
> kernel_read_system_state(iptables_t)
> kernel_read_network_state(iptables_t)
> @@ -105,6 +106,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + firewalld_read_config_files(iptables_t)
> + firewalld_dontaudit_rw_tmp_files(iptables_t)
> +')
> +
> +optional_policy(`
> firstboot_use_fds(iptables_t)
> firstboot_rw_pipes(iptables_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/libraries.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
> index 73bb3c0..d9408e6 100644
> --- a/policy/modules/system/libraries.fc
> +++ b/policy/modules/system/libraries.fc
> @@ -117,6 +117,10 @@ ifdef(`distro_redhat',`
>
> /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>
> +ifdef(`distro_debian',`
> +/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
> +')
> +
> /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/roles/staff.te | 4 ++++
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 0fef1fc..5fd339b 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(staff, staff_r, staff_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(staff_r, staff_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 6d77e81..acc9ff7 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(user, user_r, user_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(user_r, user_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 189f786..dc03698 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
> gnome_role_template($1, $1_r, $1_t)
> wm_role_template($1, $1_r, $1_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role($1_r, $1_t)
> + ')
> ')
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2013 09:29 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:
>
>> In fedora we have xdm_home_t.
>>
>> matchpathcon ~/.xsession-errors /home/dwalsh/.xsession-errors
>> staff_u:object_r:xdm_home_t:s0
>>
>>
>
> Thanks, yes i know, the question i have is, is it worth it to create a
> private type for this.
>
>
Maybe not. At least gdm and kdm no longer create this content, I think they
are writing it to journald now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKh7tAACgkQrlYvE4MpobN3SwCfe7IPBQlzPwdRLtwLCj6SrF8f
ABcAoOLZcLFBCR8C9XuyiRPZGbD8EMHK
=f6kz
-----END PGP SIGNATURE-----
I auditallow'ed the statements to see if they were triggered during a
normal x session (startup, some spps, shutdown) and they were not, so ok to
remove.
On Dec 5, 2013 3:22 PM, "Christopher J. PeBenito" <[email protected]>
wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/services/xserver.te | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/policy/modules/services/xserver.te
> b/policy/modules/services/xserver.te
> > index a7faaad..2ae8acb 100644
> > --- a/policy/modules/services/xserver.te
> > +++ b/policy/modules/services/xserver.te
> > @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
> >
> > xserver_use_user_fonts(xserver_t)
> >
> > -ifndef(`distro_redhat',`
> > - allow xserver_t self:process { execmem execheap execstack };
> > - domain_mmap_low_uncond(xserver_t)
> > -')
> > +# ifndef(`distro_redhat',`
> > +# allow xserver_t self:process { execmem execheap execstack };
> > +# domain_mmap_low_uncond(xserver_t)
> > +# ')
> >
> > ifdef(`distro_rhel4',`
> > allow xserver_t self:process { execmem execheap execstack };
> >
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> http://www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20131206/f55466a5/attachment.html
On Fri, 2013-12-06 at 17:22 +0100, Sven Vermeulen wrote:
> I auditallow'ed the statements to see if they were triggered during a
> normal x session (startup, some spps, shutdown) and they were not, so ok to
> remove.
Thanks, i will submit a patch that removes these
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index bc49474..9bce838 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -998,6 +998,8 @@ interface(`init_run_daemon',`
> ')
>
> typeattribute $1 direct_run_init;
> +
> + allow $2 system_r;
> role_transition $2 direct_init_entry system_r;
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 9bce838..dc9f92b 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -77,6 +77,8 @@ interface(`init_script_domain',`
> domain_type($1)
> domain_entry_file($1, $2)
>
> + role system_r types $1;
> +
> domtrans_pattern(init_run_all_scripts_domain, $2, $1)
>
> ifdef(`direct_sysadm_daemon',`
This failed to apply for me; it's been manually applied.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 17eda24..5de913e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -179,6 +179,11 @@ seutil_read_config(init_t)
>
> miscfiles_read_localization(init_t)
>
> +ifdef(`distro_debian',`
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> +')
> +
> ifdef(`distro_gentoo',`
> allow init_t self:process { getcap setcap };
Merged with whitespace fix.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index cd97c98..95f2284 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> +
> +allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
Merged manually due to a whitespace fix on the prior patch.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Sat, 2013-11-09 at 10:45 +0100, Dominick Grift wrote:
Please merge this patch asap.
Current refpolicy does not build without this patch
This was a rebase mistake by me.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 4691035..7f8797a 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -450,6 +450,10 @@ ifdef(`distro_debian',`
> storage_tmpfs_filetrans_fixed_disk(initrc_t)
>
> files_setattr_etc_dirs(initrc_t)
> +
> + optional_policy(`
> + exim_manage_var_lib_files(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 7f8797a..cd97c98 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -454,6 +454,14 @@ ifdef(`distro_debian',`
> optional_policy(`
> exim_manage_var_lib_files(initrc_t)
> ')
> +
> + optional_policy(`
> + gdomap_read_config(initrc_t)
> + ')
> +
> + optional_policy(`
> + minissdpd_read_config(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On 11/09/13 04:45, Dominick Grift wrote:
> 1. device_t type was used but not required
> 2. the interface name suggest all dev files and that includes device_t
> chr/blk files as well. If the interface name would say all_dev_nodes
> then it would have been a different story
>
> In debian kernel needs to set attributes of generic device_t blk files
> (/dev/dm-.*) Some how theyre created with generic device_t
>
> In debian kernel needs to create, and set attributes of atleast the chr
> files that i added named file transtion rules for but i added
> permissions to kernel to create and set attributes of any chr file in
> /dev ( that includes generic device_t type chr files
Fails to apply for me.
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/kernel/devices.if | 12 ++++++++----
> policy/modules/kernel/kernel.te | 4 ++++
> 2 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 147170a..afcc522 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
> interface(`dev_setattr_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_blk_files_pattern($1, device_t, device_node)
> + setattr_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
> interface(`dev_setattr_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_chr_files_pattern($1, device_t, device_node)
> + setattr_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
> interface(`dev_create_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_blk_files_pattern($1, device_t, device_node)
> + create_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
> interface(`dev_create_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_chr_files_pattern($1, device_t, device_node)
> + create_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d7a9b47..b9d6a3a 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
> mls_file_read_all_levels(kernel_t)
>
> ifdef(`distro_debian',`
> + dev_create_all_chr_files(kernel_t)
> + dev_setattr_all_blk_files(kernel_t)
> + dev_setattr_all_chr_files(kernel_t)
> +
> dev_filetrans_input(kernel_t, "event0")
> dev_filetrans_input(kernel_t, "event1")
> dev_filetrans_input(kernel_t, "event2")
>
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
Le Sat, 9 Nov 2013 10:45:09 +0100,
Dominick Grift <[email protected]> a ?crit :
> Signed-off-by: Dominick Grift <[email protected]>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
Hi,
Apparently this patch has never been merged (but the first chunk is not
applying anymore), should I repropose it or would you have the time to
do it?
Cheers,
Laurent Bigonville
On Thu, 2014-02-06 at 20:56 +0100, Laurent Bigonville wrote:
> Le Sat, 9 Nov 2013 10:45:09 +0100,
> Dominick Grift <[email protected]> a ?crit :
>
> > Signed-off-by: Dominick Grift <[email protected]>
> > ---
> > policy/modules/system/init.te | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/init.te
> > b/policy/modules/system/init.te index 5de913e..4691035 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> > miscfiles_read_localization(init_t)
> >
> > ifdef(`distro_debian',`
> > -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> > +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> > ')
> >
> > @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> > userdom_use_user_terminals(initrc_t)
> >
> > ifdef(`distro_debian',`
> > + kernel_getattr_core_if(initrc_t)
> > +
> > + dev_getattr_generic_blk_files(initrc_t)
> > dev_setattr_generic_dirs(initrc_t)
> >
> > fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
>
> Hi,
>
> Apparently this patch has never been merged (but the first chunk is not
> applying anymore), should I repropose it or would you have the time to
> do it?
>
> Cheers,
I lost the passphrase of my ssh key for contrib so probably best to
resumbit a new patch because i wont be able to commit this
>
> Laurent Bigonville