I was going through the policy and adding all the _admin interfaces to sysadm
in the gentoo policy and hit quite a number of syntax errors. They are mostly
just typos and missing types in gen_require.
The last two remove the _role interface to not be called from _admin since the
the _role is already called from in the role definitions and there is a
conflict if it gets called twice so removing it from the _admin interface
seemed reasonable. Commented them out and wrote a note above. Would it instead
be preferred if i just removed it completely?
-- Jason
---
ccs.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/ccs.if b/ccs.if
index 5ded72d..bb17e0f 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
interface(`ccs_admin',`
gen_require(`
type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
- type ccs_var_lib_t_t, ccs_var_log_t;
- type ccs_var_run_t, ccs_tmp_t;
+ type ccs_var_lib_t, ccs_var_log_t;
+ type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
')
allow $1 ccs_t:process { ptrace signal_perms };
--
2.0.4
---
condor.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/condor.if b/condor.if
index 881d92f..c80aaf5 100644
--- a/condor.if
+++ b/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
interface(`condor_admin',`
gen_require(`
attribute condor_domain;
- type condor_initrc_exec_config_t, condor_log_t;
+ type condor_initrc_exec_t, condor_log_t;
type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
')
--
2.0.4
---
distcc.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/distcc.if b/distcc.if
index 24d8c74..473823d 100644
--- a/distcc.if
+++ b/distcc.if
@@ -20,7 +20,7 @@
interface(`distcc_admin',`
gen_require(`
type distccd_t, distccd_t, distccd_log_t;
- type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+ type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
')
allow $1 distccd_t:process { ptrace signal_perms };
--
2.0.4
---
ftp.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/ftp.if b/ftp.if
index 4498143..65adda9 100644
--- a/ftp.if
+++ b/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
type ftpd_keytab_t;
')
- allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+ allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
--
2.0.4
---
kerberos.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/kerberos.if b/kerberos.if
index f6c00d8..77a5c49 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
type krb5kdc_var_run_t, krb5_host_rcache_t;
')
- allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
- ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+ allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+ ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
domain_system_change_exemption($1)
--
2.0.4
---
kismet.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/kismet.if b/kismet.if
index aa2a337..f20de6e 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
interface(`kismet_admin',`
gen_require(`
type kismet_t, kismet_var_lib_t, kismet_var_run_t;
- type kismet_log_t, kismet_tmp_t;
+ type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
')
init_labeled_script_domtrans($1, kismet_initrc_exec_t)
--
2.0.4
---
nut.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nut.if b/nut.if
index 57c0161..c606ae6 100644
--- a/nut.if
+++ b/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
')
allow $1 nut_domain:process { ptrace signal_perms };
- ps_process_pattern($1, nut_domain_t)
+ ps_process_pattern($1, nut_domain)
init_labeled_script_domtrans($1, nut_initrc_exec_t)
domain_system_change_exemption($1)
--
2.0.4
---
prelude.if | 1 +
1 file changed, 1 insertion(+)
diff --git a/prelude.if b/prelude.if
index c83a838..db8f510 100644
--- a/prelude.if
+++ b/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
type prelude_audisp_t, prelude_audisp_var_run_t;
type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+ type prelude_correlator_t;
')
allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
--
2.0.4
---
psad.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/psad.if b/psad.if
index d4dcf78..cdc83d2 100644
--- a/psad.if
+++ b/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
gen_require(`
type psad_t, psad_var_run_t, psad_var_log_t;
type psad_initrc_exec_t, psad_var_lib_t;
- type psad_tmp_t;
+ type psad_tmp_t, psad_etc_t;
')
allow $1 psad_t:process { ptrace signal_perms };
--
2.0.4
---
quota.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/quota.if b/quota.if
index da64218..68611e3 100644
--- a/quota.if
+++ b/quota.if
@@ -190,7 +190,7 @@ interface(`quota_admin',`
allow $2 system_r;
files_list_all($1)
- admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+ admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
quota_run($1, $2)
')
--
2.0.4
---
rpcbind.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..1a1cb99 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -160,7 +160,7 @@ interface(`rpcbind_admin',`
allow $1 rpcbind_t:process { ptrace signal_perms };
ps_process_pattern($1, rpcbind_t)
- init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+ init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
domain_system_change_exemption($1)
role_transition $2 rpcbind_initrc_exec_t system_r;
allow $2 system_r;
--
2.0.4
---
rpm.if | 4 ++--
1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/rpm.if b/rpm.if
index ef3b225..fc9c8d8 100644
--- a/rpm.if
+++ b/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
interface(`rpm_admin',`
gen_require(`
type rpm_t, rpm_script_t, rpm_initrc_exec_t;
- type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
- type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+ type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+ type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
')
--
2.0.4
---
systemtap.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/systemtap.if b/systemtap.if
index c755e2d..d60a21e 100644
--- a/systemtap.if
+++ b/systemtap.if
@@ -20,7 +20,7 @@
interface(`stapserver_admin',`
gen_require(`
type stapserver_t, stapserver_conf_t, stapserver_log_t;
- type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+ type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
')
allow $1 stapserver_t:process { ptrace signal_perms };
--
2.0.4
---
svnserve.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/svnserve.if b/svnserve.if
index 2ac91b6..5cd46e9 100644
--- a/svnserve.if
+++ b/svnserve.if
@@ -31,5 +31,5 @@ interface(`svnserve_admin',`
allow $2 system_r;
files_search_pids($1)
- admin_pattern($1, httpd_var_run_t)
+ admin_pattern($1, svnserve_var_run_t)
')
--
2.0.4
---
uptime.if | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/uptime.if b/uptime.if
index 01a3234..19f4724 100644
--- a/uptime.if
+++ b/uptime.if
@@ -19,7 +19,7 @@
#
interface(`uptime_admin',`
gen_require(`
- type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+ type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
type uptimed_spool_t, uptimed_var_run_t;
')
--
2.0.4
---
zabbix.if | 6 +++---
1 file changed, 3 insertions(+), 3 deletions(-)
diff --git a/zabbix.if b/zabbix.if
index dd63de0..29d87d7 100644
--- a/zabbix.if
+++ b/zabbix.if
@@ -138,9 +138,9 @@ interface(`zabbix_agent_tcp_connect',`
#
interface(`zabbix_admin',`
gen_require(`
- type zabbix_t, zabbix_log_t, zabbix_var_run_t;
- type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
- type zabbit_tmpfs_t;
+ type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
+ type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t;
+ type zabbix_tmpfs_t;
')
allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
--
2.0.4
pyzor_role contains some named filetrans's which can not be applied
twice. The roles already contain pyzor_role which makes adding
pyzor_admin impossible. This removes the role so they can both be
applied.
---
pyzor.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/pyzor.if b/pyzor.if
index 593c03d..c05a504 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -132,5 +132,6 @@ interface(`pyzor_admin',`
files_search_var_lib($1)
admin_pattern($1, pyzor_var_lib_t)
- pyzor_role($2, $1)
+ # This makes it impossible to apply _admin if _role has already been applied
+ #pyzor_role($2, $1)
')
--
2.0.4
spamassassin_role contains some named filetrans's which can not be
applied twice. The roles already contain spamassassin_role which makes
adding spamassassin_admin impossible. This removes the role so they can
both be applied.
---
spamassassin.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/spamassassin.if b/spamassassin.if
index 1499b0b..7f5a1cc 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -404,5 +404,6 @@ interface(`spamassassin_admin',`
files_list_pids($1)
admin_pattern($1, spamd_var_run_t)
- spamassassin_role($2, $1)
+ # This makes it impossible to apply _admin if _role has already been applied
+ #spamassassin_role($2, $1)
')
--
2.0.4
On 11/26/2014 1:38 AM, Jason Zaman wrote:
> I was going through the policy and adding all the _admin interfaces to sysadm
> in the gentoo policy and hit quite a number of syntax errors. They are mostly
> just typos and missing types in gen_require.
>
> The last two remove the _role interface to not be called from _admin since the
> the _role is already called from in the role definitions and there is a
> conflict if it gets called twice so removing it from the _admin interface
> seemed reasonable. Commented them out and wrote a note above. Would it instead
> be preferred if i just removed it completely?
At first I wanted it removed, but then decided it's fine to keep the
comments, so we don't add it back in at some point in the future. Or
maybe it will work in the future, so we can add it back.
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com
On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
> On 11/26/2014 1:38 AM, Jason Zaman wrote:
> > I was going through the policy and adding all the _admin interfaces to sysadm
> > in the gentoo policy and hit quite a number of syntax errors. They are mostly
> > just typos and missing types in gen_require.
The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
This is also one of the reasons why i prefer only adding interfaces that are actually used.
On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
--
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141202/6425f2fd/attachment.bin
On Tue, Dec 02, 2014 at 05:15:43PM +0100, Dominick Grift wrote:
> On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
> > On 11/26/2014 1:38 AM, Jason Zaman wrote:
> > > I was going through the policy and adding all the _admin interfaces to sysadm
> > > in the gentoo policy and hit quite a number of syntax errors. They are mostly
> > > just typos and missing types in gen_require.
>
> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
>
> This is also one of the reasons why i prefer only adding interfaces that are actually used.
>
> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
>
> --
> Dominick Grift
Would a patch for adding all of the foo_admin() interfaces to sysadm.te
in refpol be accepted? and if i send a patch to add them, where in
sysadm.te would be the best? put them directly in the main part of the
file or should they go in the ifndef(distro_redhat section?
-- Jason
On 12/02/2014 05:15 PM, Dominick Grift wrote:
> On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
>> On 11/26/2014 1:38 AM, Jason Zaman wrote:
>>> I was going through the policy and adding all the _admin interfaces to sysadm
>>> in the gentoo policy and hit quite a number of syntax errors. They are mostly
>>> just typos and missing types in gen_require.
> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
>
> This is also one of the reasons why i prefer only adding interfaces that are actually used.
>
> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
We have tests for testing these _admin() interfaces in RHEL. I believe
we could add them to Fedora to have them available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/b5a422d1/attachment-0001.html
On Wed, Dec 03, 2014 at 10:27:09AM +0100, Miroslav Grepl wrote:
>
> We have tests for testing these _admin() interfaces in RHEL. I believe
> we could add them to Fedora to have them available.
I sent a big patch adding all the interfaces to sysadm.te, if you could
run your test suite on it to verify there are no errors I missed would
be great.
-- Jason
On Wed, 2014-12-03 at 10:27 +0100, Miroslav Grepl wrote:
> > > >
> > The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
> >
> > This is also one of the reasons why i prefer only adding interfaces that are actually used.
> >
> > On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
> >
> >
> We have tests for testing these _admin() interfaces in RHEL. I believe
> we could add them to Fedora to have them available.
Could be interesting. I fear however that the tests aren't going to be
the problem, but rather running them consistently when a unused
interface is added.
I might be wrong with that assumption though
On 12/3/2014 9:33 AM, Dominick Grift wrote:
> On Wed, 2014-12-03 at 10:27 +0100, Miroslav Grepl wrote:
>
>>>>>
>>> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
>>>
>>> This is also one of the reasons why i prefer only adding interfaces that are actually used.
>>>
>>> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
>>>
>>>
>
>
>> We have tests for testing these _admin() interfaces in RHEL. I believe
>> we could add them to Fedora to have them available.
>
> Could be interesting. I fear however that the tests aren't going to be
> the problem, but rather running them consistently when a unused
> interface is added.
>
> I might be wrong with that assumption though
In the long run I'm not really concerned, as there will eventually be a
refpolicy->CIL compiler[1], which would do syntax checking on
interfaces, since they would be proper language constructs, instead of
macros.
[1] https://bitbucket.org/jwcarter/fpp
--
Chris PeBenito
Tresys Technology, LLC
http://www.tresys.com | oss.tresys.com