LinuxLists.cc - [refpolicy] [PATCH 1/3] udev: map module objects to load kernel modules

2017-09-15 17:16:12

Subject: [refpolicy] [PATCH 1/3] udev: map module objects to load kernel modules

denied { map } for pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 1e84e582..35368aa1 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,6 +174,7 @@ modutils_domtrans(udev_t)
modutils_read_module_config(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
+modutils_read_module_objects(udev_t)

seutil_read_config(udev_t)
seutil_read_default_contexts(udev_t)
--
2.13.5

2017-09-15 17:16:13

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/3] syslog: allow map persist file

---
policy/modules/system/logging.te | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 5d3c8640..04140bf1 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -421,6 +421,7 @@ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })

manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
+allow syslogd_t syslogd_var_lib_t:file map;
files_search_var_lib(syslogd_t)

# manage pid file
--
2.13.5

2017-09-15 17:16:14

by Jason Zaman

[permalink] [raw]

Subject: [refpolicy] [PATCH 3/3] sudo: add fcontext for /run/sudo/ts/USERNAME

This lets restorecon -F set the context properly
---
policy/modules/system/authlogin.fc | 1 +
1 file changed, 1 insertion(+)

diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
index 68f61737..a0c4d1c9 100644
--- a/policy/modules/system/authlogin.fc
+++ b/policy/modules/system/authlogin.fc
@@ -49,5 +49,6 @@ ifdef(`distro_suse', `
/run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
/run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
+/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0)
/var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
/var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
--
2.13.5

2017-09-16 17:15:02

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/3] udev: map module objects to load kernel modules

On 09/15/2017 01:16 PM, Jason Zaman via refpolicy wrote:
> denied { map } for pid=7850 comm="systemd-udevd" path="/lib64/modules/4.13.0-gentoo/kernel/drivers/hid/hid-logitech-hidpp.ko" dev="zfs" ino=709934 scontext=system_u:system_r:udev_t:s0-s0:c0.c1023 tcontext=system_u:object_r:modules_object_t:s0 tclass=file permissive=0
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 1e84e582..35368aa1 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -174,6 +174,7 @@ modutils_domtrans(udev_t)
> modutils_read_module_config(udev_t)
> # read modules.inputmap:
> modutils_read_module_deps(udev_t)
> +modutils_read_module_objects(udev_t)
>
> seutil_read_config(udev_t)
> seutil_read_default_contexts(udev_t)

Merged.

--
Chris PeBenito

2017-09-16 17:15:08

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/3] syslog: allow map persist file

On 09/15/2017 01:16 PM, Jason Zaman via refpolicy wrote:
> ---
> policy/modules/system/logging.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 5d3c8640..04140bf1 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -421,6 +421,7 @@ manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>
> manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> +allow syslogd_t syslogd_var_lib_t:file map;
> files_search_var_lib(syslogd_t)
>
> # manage pid file

Merged.

--
Chris PeBenito

2017-09-16 17:15:14

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 3/3] sudo: add fcontext for /run/sudo/ts/USERNAME

On 09/15/2017 01:16 PM, Jason Zaman via refpolicy wrote:
> This lets restorecon -F set the context properly
> ---
> policy/modules/system/authlogin.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/authlogin.fc b/policy/modules/system/authlogin.fc
> index 68f61737..a0c4d1c9 100644
> --- a/policy/modules/system/authlogin.fc
> +++ b/policy/modules/system/authlogin.fc
> @@ -49,5 +49,6 @@ ifdef(`distro_suse', `
> /run/pam_ssh(/.*)? gen_context(system_u:object_r:var_auth_t,s0)
> /run/sepermit(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /run/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> +/run/sudo/ts/%{USERNAME} gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/(db|adm)/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)
> /var/lib/sudo(/.*)? gen_context(system_u:object_r:pam_var_run_t,s0)

Merged.

--
Chris PeBenito