2017-04-26 16:23:47

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] somme little misc things

This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).

Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
@@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
')

optional_policy(`
+ apt_use_fds(setfiles_t)
+')
+
+optional_policy(`
hotplug_use_fds(setfiles_t)
')
Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)

+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)

auth_can_read_shadow_passwords(rsync_t)
Index: refpolicy-2.20170421/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170421/policy/modules/system/fstools.te
@@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)

miscfiles_read_localization(fsadm_t)

+# for /run/mount/utab
+mount_getattr_runfile(fsadm_t)
+
# losetup: bind mount_loopback_t files to loop devices
mount_rw_loopback_files(fsadm_t)

Index: refpolicy-2.20170421/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/mount.if
+++ refpolicy-2.20170421/policy/modules/system/mount.if
@@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
')

+########################################
+## <summary>
+## Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_getattr_runfile',`
+ gen_require(`
+ type mount_var_run_t;
+ ')
+
+ allow $1 mount_var_run_t:file getattr;
+')
Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170421/policy/modules/contrib/cron.te
@@ -336,6 +336,23 @@ ifdef(`distro_debian',`
optional_policy(`
logwatch_search_cache_dir(crond_t)
')
+ optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+ dpkg_manage_db(system_cronjob_t)
+ ')
+')
+
+optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+ ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+ apache_delete_lib_files(system_cronjob_t)
')

ifdef(`distro_redhat',`
@@ -425,6 +442,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')

optional_policy(`
@@ -436,14 +454,15 @@ optional_policy(`
# System local policy
#

-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;

-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)

allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
+allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;

manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)

@@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;

-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;

kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -563,6 +584,10 @@ optional_policy(`
')

optional_policy(`
+ read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
cyrus_manage_data(system_cronjob_t)
')

Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
+++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@

########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20170421/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
## </summary>
## </param>
#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`apt_read_cache',`
gen_require(`
type apt_var_cache_t;


2017-04-26 22:04:54

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] somme little misc things

On 04/26/2017 12:23 PM, Russell Coker via refpolicy wrote:
> This patch allows setfiles to use file handles inherited from apt (for dpkg
> postinst scripts), adds those rsync permissions that were rejected previously
> due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
> allows system_cronjob_t some access it requires (including net_admin for
> when it runs utilities that set buffers).

I took almost everything, but there was a lot of moving in cron. There
are a couple notes:

> Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> @@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + apt_use_fds(setfiles_t)
> +')
> +
> +optional_policy(`
> hotplug_use_fds(setfiles_t)
> ')
> Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
> @@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
> fs_getattr_all_fs(rsync_t)
> fs_search_auto_mountpoints(rsync_t)
>
> +files_getattr_all_pipes(rsync_t)
> +files_getattr_all_sockets(rsync_t)
> files_search_home(rsync_t)
>
> auth_can_read_shadow_passwords(rsync_t)
> Index: refpolicy-2.20170421/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170421/policy/modules/system/fstools.te
> @@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)
>
> miscfiles_read_localization(fsadm_t)
>
> +# for /run/mount/utab
> +mount_getattr_runfile(fsadm_t)
> +
> # losetup: bind mount_loopback_t files to loop devices
> mount_rw_loopback_files(fsadm_t)
>
> Index: refpolicy-2.20170421/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20170421/policy/modules/system/mount.if
> @@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
> rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
> ')
>
> +########################################
> +## <summary>
> +## Getattr on mount_var_run_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_getattr_runfile',`
> + gen_require(`
> + type mount_var_run_t;
> + ')
> +
> + allow $1 mount_var_run_t:file getattr;
> +')
> Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170421/policy/modules/contrib/cron.te
> @@ -336,6 +336,23 @@ ifdef(`distro_debian',`
> optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> + optional_policy(`
> + apt_manage_cache(system_cronjob_t)
> + apt_read_db(system_cronjob_t)
> + dpkg_manage_db(system_cronjob_t)
> + ')
> +')
> +
> +optional_policy(`
> + acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> + ntp_admin(system_cronjob_t, system_r)

The admin interfaces aren't intended to be used like this.


> +')
> +
> +optional_policy(`
> + apache_delete_lib_files(system_cronjob_t)
> ')
>
> ifdef(`distro_redhat',`
> @@ -425,6 +442,7 @@ optional_policy(`
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> + init_manage_script_service(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -436,14 +454,15 @@ optional_policy(`
> # System local policy
> #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> allow system_cronjob_t self:process { signal_perms getsched setsched };
> allow system_cronjob_t self:fd use;
> allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
> allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;

I'm skeptical of this because then a rogue cronjob can destroy some
evidence of what it's doing.


> logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)

Why is this needed? The same comment also applies as above.


> allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
> files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
> manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
> +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
>
> manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
> allow system_cronjob_t cron_spool_t:dir list_dir_perms;
> allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> @@ -563,6 +584,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
> cyrus_manage_data(system_cronjob_t)
> ')
>
> Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
> +++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## Read mrtg configuration
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`read_mrtg_etc',`
> + gen_require(`
> + type mrtg_etc_t;
> + ')
> +
> + allow $1 mrtg_etc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create and append mrtg log files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
> +++ refpolicy-2.20170421/policy/modules/contrib/apt.if
> @@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
> ## </summary>
> ## </param>
> #
> +interface(`apt_manage_cache',`
> + gen_require(`
> + type apt_var_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 apt_var_cache_t:dir manage_dir_perms;
> + allow $1 apt_var_cache_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Read apt package cache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> interface(`apt_read_cache',`
> gen_require(`
> type apt_var_cache_t;



--
Chris PeBenito