LinuxLists.cc - [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read

2017-11-15 07:10:14

Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability

It already has dac_override, and depending on the pam modules being
used, this may actually be neccessary. Due to the 4.13 changes, I'm now
getting dac_read_search denials.
---
policy/modules/system/locallogin.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 92679ce36..ff8df49df 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
# Local login local policy
#

-allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
--
2.15.0

2017-11-15 07:10:15

by Mira Ressel

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories

---
policy/modules/system/locallogin.te | 3 +++
1 file changed, 3 insertions(+)

diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index ff8df49df..8a0660320 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -183,6 +183,9 @@ optional_policy(`
optional_policy(`
# Search for mail spool file.
mta_getattr_spool(local_login_t)
+
+ # List contents of ~/Maildir
+ mta_list_mail_home_rw(local_login_t)
')

optional_policy(`
--
2.15.0

2017-11-15 09:40:54

by Russell Coker

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories

Why is that needed? Is there some pam module or something that is displaying
mail status?

On Wednesday, 15 November 2017 8:10:15 AM AEDT Luis Ressel via refpolicy
wrote:
> ---
> policy/modules/system/locallogin.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/system/locallogin.te
> b/policy/modules/system/locallogin.te index ff8df49df..8a0660320 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -183,6 +183,9 @@ optional_policy(`
> optional_policy(`
> # Search for mail spool file.
> mta_getattr_spool(local_login_t)
> +
> + # List contents of ~/Maildir
> + mta_list_mail_home_rw(local_login_t)
> ')
>
> optional_policy(`

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-11-15 19:58:57

by Mira Ressel

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories

On Wed, 15 Nov 2017 20:40:54 +1100
Russell Coker via refpolicy <[email protected]> wrote:

> Why is that needed? Is there some pam module or something that is
> displaying mail status?

Yes, indeed. Sorry, I'd been meaning to supply a more detailed
description, but apparently I forgot.

My usecase is to let login display mail status via the pam_mail module.
Since my MDA delivers directly to ~/Maildir, this requires the
permission I submitted.

Regards,
Luis Ressel

2017-11-15 20:00:45

by Dac Override

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories

On Wed, Nov 15, 2017 at 08:58:57PM +0100, Luis Ressel via refpolicy wrote:
> On Wed, 15 Nov 2017 20:40:54 +1100
> Russell Coker via refpolicy <[email protected]> wrote:
>
> > Why is that needed? Is there some pam module or something that is
> > displaying mail status?
>
> Yes, indeed. Sorry, I'd been meaning to supply a more detailed
> description, but apparently I forgot.
>
> My usecase is to let login display mail status via the pam_mail module.
> Since my MDA delivers directly to ~/Maildir, this requires the
> permission I submitted.

I would probably then consider adding this to authconfig. probably associate these rules with pam clients.

>
> Regards,
> Luis Ressel
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171115/dbbe6c6c/attachment.bin

2017-11-15 20:25:48

by Dac Override

[permalink] [raw]

Subject: [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories

On Wed, Nov 15, 2017 at 09:00:45PM +0100, Dominick Grift wrote:
> On Wed, Nov 15, 2017 at 08:58:57PM +0100, Luis Ressel via refpolicy wrote:
> > On Wed, 15 Nov 2017 20:40:54 +1100
> > Russell Coker via refpolicy <[email protected]> wrote:
> >
> > > Why is that needed? Is there some pam module or something that is
> > > displaying mail status?
> >
> > Yes, indeed. Sorry, I'd been meaning to supply a more detailed
> > description, but apparently I forgot.
> >
> > My usecase is to let login display mail status via the pam_mail module.
> > Since my MDA delivers directly to ~/Maildir, this requires the
> > permission I submitted.
>
> I would probably then consider adding this to authconfig. probably associate these rules with pam clients.

I meant to type "authlogin"
>
> >
> > Regards,
> > Luis Ressel
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift

--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171115/56e71a1f/attachment.bin

2017-11-18 10:55:17

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability

On 11/15/2017 02:10 AM, Luis Ressel via refpolicy wrote:
> It already has dac_override, and depending on the pam modules being
> used, this may actually be neccessary. Due to the 4.13 changes, I'm now
> getting dac_read_search denials.
> ---
> policy/modules/system/locallogin.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 92679ce36..ff8df49df 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -32,7 +32,7 @@ role system_r types sulogin_t;
> # Local login local policy
> #
>
> -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;

Merged.

--
Chris PeBenito