The first nine patches cause no change in the final kernel policy.
The last four do because they fix interfaces that were always being
removed because they required an undeclared identifier.
Explanations for some of the patches.
Patches 2 and 3:
spt_lint.lua looks for calls that have too many or too few arguments and
it parses the interface XML header looking for optional and unused
parameters, so by marking parameters that are unused as unused it will
not report a problem.
Patches 5 and 6:
spt_lint.lua will report a problem when a type is used in a module other
than the one that it is declared in. Enforcing this helps reduce the
amount of inter-module dependencies.
Patches 7 - 9:
These patches fix interfaces that are not used in the policy. This is why
they do not change the final policy.
Patches 10 - 13:
These patches fix intefaces (or interface call) that are used in the policy.
These do cause a change in the final policy.
James Carter (13):
Remove unnecessary semicolons
Mark unused parameter as unused
Add unused parameter and mark as unused
Remove use of undeclared attribute from portage.te
Move use of httpd_t from mojomojo.te to apache.te
Move use of sendmail_exec_t from sendmail.te to mta.te
Fix typos in identifier names
Remove undeclared identifiers from shorewall interfaces
Fix interfaces that use an undeclared identifier
Fix typos in identifier names
Remove undeclared identifiers from interfaces
Fix interfaces that use an undeclared identifier
Removed call to deprecated interface xserver_manage_xdm_spool_files()
accountsd.if | 2 +-
alsa.te | 2 +-
apache.if | 19 +++++++++++++++++++
bugzilla.if | 2 +-
ccs.if | 4 ++--
cfengine.if | 4 ++--
cobbler.if | 6 +++---
cron.if | 4 ++--
cups.if | 3 +--
dbus.if | 2 +-
devicekit.if | 2 +-
djbdns.if | 4 ++--
dspam.if | 4 ++--
evolution.if | 2 +-
firewalld.if | 4 ++--
ftp.te | 2 +-
kismet.if | 4 ++--
lsm.if | 2 +-
mojomojo.te | 2 +-
mta.if | 19 +++++++++++++++++++
obex.if | 2 +-
plymouthd.if | 2 +-
plymouthd.te | 1 -
portage.te | 2 --
qemu.te | 2 +-
rabbitmq.if | 6 ++++--
rpm.if | 4 ++--
rsync.if | 2 +-
samba.if | 3 +--
samhain.if | 2 +-
sectoolm.if | 2 +-
sendmail.te | 3 ++-
setroubleshoot.if | 5 +++++
shorewall.if | 14 ++------------
sosreport.if | 2 +-
sssd.if | 4 ++--
tftp.if | 9 +++++++--
wm.if | 2 +-
38 files changed, 98 insertions(+), 62 deletions(-)
--
2.13.6
The type sendmail_exec_t is actually declared in mta.te.
Created mta.if:mta_sendmail_entry_point() to make sendmail_exec_t
usable as an entry point for a domain.
Modified sendmail.te to use the new interface along with the
application_type() interface to replace the call to
application_domain() using sendmail_exec_t.
Signed-off-by: James Carter <[email protected]>
---
mta.if | 19 +++++++++++++++++++
sendmail.te | 3 ++-
2 files changed, 21 insertions(+), 1 deletion(-)
diff --git a/mta.if b/mta.if
index 2bff433..7c3154d 100644
--- a/mta.if
+++ b/mta.if
@@ -530,6 +530,25 @@ interface(`mta_sendmail_exec',`
########################################
## <summary>
+## Make sendmail usable as an entry
+## point for the domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to be entered.
+## </summary>
+## </param>
+#
+interface(`mta_sendmail_entry_point',`
+ gen_require(`
+ type sendmail_exec_t;
+ ')
+
+ domain_entry_file($1, sendmail_exec_t)
+')
+
+########################################
+## <summary>
## Read mail server configuration content.
## </summary>
## <param name="domain">
diff --git a/sendmail.te b/sendmail.te
index 8d2669e..3503f31 100644
--- a/sendmail.te
+++ b/sendmail.te
@@ -32,7 +32,8 @@ mta_mailserver_sender(sendmail_t)
role sendmail_roles types sendmail_t;
type unconfined_sendmail_t;
-application_domain(unconfined_sendmail_t, sendmail_exec_t)
+application_type(unconfined_sendmail_t)
+mta_sendmail_entry_point(unconfined_sendmail_t)
role sendmail_unconfined_roles types unconfined_sendmail_t;
########################################
--
2.13.6
These interfaces are not being called in the policy (or are only called by
interfaces that are not called).
In kismet.if:kismet_role()
kistmet_tmpfs_t should be kismet_tmpfs_t
In obex.if:obex_role_template()
obex_exec_exec_t should be obex_exec_t
In sosreport.if:sosreport_run()
sospreport_roles should be sosreport_roles
Called only in sosreport_role() which is not called in policy.
Signed-off-by: James Carter <[email protected]>
---
kismet.if | 4 ++--
obex.if | 2 +-
sosreport.if | 2 +-
3 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/kismet.if b/kismet.if
index 7e61276..1ba783c 100644
--- a/kismet.if
+++ b/kismet.if
@@ -18,12 +18,12 @@
template(`kismet_role',`
gen_require(`
type kismet_exec_t, kismet_home_t, kismet_tmp_t;
- type kistmet_tmpfs_t, kismet_t;
+ type kismet_tmpfs_t, kismet_t;
')
kismet_run($1, $2)
- allow $2 kistmet_t:process { ptrace signal_perms };
+ allow $2 kismet_t:process { ptrace signal_perms };
ps_process_pattern($2, kismet_t)
allow $2 kismet_home_t:dir { manage_dir_perms relabel_dir_perms };
diff --git a/obex.if b/obex.if
index 410c0e8..6723697 100644
--- a/obex.if
+++ b/obex.if
@@ -24,7 +24,7 @@
template(`obex_role_template',`
gen_require(`
attribute_role obex_roles;
- type obex_t, obex_exec_exec_t;
+ type obex_t, obex_exec_t;
')
########################################
diff --git a/sosreport.if b/sosreport.if
index 634c6b4..e1edfd9 100644
--- a/sosreport.if
+++ b/sosreport.if
@@ -42,7 +42,7 @@ interface(`sosreport_run',`
')
sosreport_domtrans($1)
- roleattribute $2 sospreport_roles;
+ roleattribute $2 sosreport_roles;
')
########################################
--
2.13.6
Removed unnecessary semicolons in alsa.te, evolution.if, and qemu.te.
Signed-off-by: James Carter <[email protected]>
---
alsa.te | 2 +-
evolution.if | 2 +-
qemu.te | 2 +-
3 files changed, 3 insertions(+), 3 deletions(-)
diff --git a/alsa.te b/alsa.te
index dd9fb5b..94e42d7 100644
--- a/alsa.te
+++ b/alsa.te
@@ -73,7 +73,7 @@ manage_dirs_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
manage_files_pattern(alsa_t, alsa_var_lib_t, alsa_var_lib_t)
allow alsa_t alsa_var_lock_t:file manage_file_perms;
-files_lock_filetrans(alsa_t, alsa_var_lock_t, file);
+files_lock_filetrans(alsa_t, alsa_var_lock_t, file)
kernel_read_system_state(alsa_t)
diff --git a/evolution.if b/evolution.if
index 4319443..32cc77f 100644
--- a/evolution.if
+++ b/evolution.if
@@ -224,5 +224,5 @@ interface(`evolution_domtrans',`
')
corecmd_search_bin($1)
- domtrans_pattern($1, evolution_exec_t, evolution_t);
+ domtrans_pattern($1, evolution_exec_t, evolution_t)
')
diff --git a/qemu.te b/qemu.te
index 0d4648b..0ad00b8 100644
--- a/qemu.te
+++ b/qemu.te
@@ -26,7 +26,7 @@ type qemu_unit_t;
init_unit_file(qemu_unit_t)
type qemu_var_run_t;
-files_pid_file(qemu_var_run_t);
+files_pid_file(qemu_var_run_t)
########################################
#
--
2.13.6
Marked unused paramters as unused in the interfaces listed below.
accountsd.if:accountsd_admin()
bugzilla.if:bugzilla_admin()
devicekit.if:devicekit_admin()
lsm.if:lsmd_admin()
plymouthd.if:plymouthd_admin()
rsync.if:rsync_admin()
samhain.if:samhain_admin()
sectoolm.if:sectoolm_role()
Signed-off-by: James Carter <[email protected]>
---
accountsd.if | 2 +-
bugzilla.if | 2 +-
devicekit.if | 2 +-
lsm.if | 2 +-
plymouthd.if | 2 +-
rsync.if | 2 +-
samhain.if | 2 +-
sectoolm.if | 2 +-
8 files changed, 8 insertions(+), 8 deletions(-)
diff --git a/accountsd.if b/accountsd.if
index bd5ec9a..312d569 100644
--- a/accountsd.if
+++ b/accountsd.if
@@ -129,7 +129,7 @@ interface(`accountsd_manage_lib_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/bugzilla.if b/bugzilla.if
index 1b22262..19fce8e 100644
--- a/bugzilla.if
+++ b/bugzilla.if
@@ -48,7 +48,7 @@ interface(`bugzilla_dontaudit_rw_stream_sockets',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/devicekit.if b/devicekit.if
index 8ce99ff..da75b8e 100644
--- a/devicekit.if
+++ b/devicekit.if
@@ -248,7 +248,7 @@ interface(`devicekit_manage_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/lsm.if b/lsm.if
index 365ab6f..44910af 100644
--- a/lsm.if
+++ b/lsm.if
@@ -10,7 +10,7 @@
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/plymouthd.if b/plymouthd.if
index 54cd777..04e0c73 100644
--- a/plymouthd.if
+++ b/plymouthd.if
@@ -242,7 +242,7 @@ interface(`plymouthd_read_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/rsync.if b/rsync.if
index 7a14937..097f4d3 100644
--- a/rsync.if
+++ b/rsync.if
@@ -247,7 +247,7 @@ interface(`rsync_etc_filetrans_config',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/samhain.if b/samhain.if
index 983fee5..8b6fb18 100644
--- a/samhain.if
+++ b/samhain.if
@@ -203,7 +203,7 @@ interface(`samhain_manage_pid_files',`
## Domain allowed access.
## </summary>
## </param>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
diff --git a/sectoolm.if b/sectoolm.if
index c78a569..9e9663b 100644
--- a/sectoolm.if
+++ b/sectoolm.if
@@ -4,7 +4,7 @@
## <summary>
## Role access for sectoolm.
## </summary>
-## <param name="role">
+## <param name="role" unused="true">
## <summary>
## Role allowed access.
## </summary>
--
2.13.6
Removed two dontaudit rules that referred to device_type.
This attribute was not declared in policy and its only use was in a
TODO ifdef block in portage.te.
Signed-off-by: James Carter <[email protected]>
---
portage.te | 2 --
1 file changed, 2 deletions(-)
diff --git a/portage.te b/portage.te
index 48983d9..6c7b379 100644
--- a/portage.te
+++ b/portage.te
@@ -232,8 +232,6 @@ ifdef(`TODO',`
# seems to work ok without these
dontaudit portage_t device_t:{ blk_file chr_file } getattr;
dontaudit portage_t proc_t:dir setattr_dir_perms;
-dontaudit portage_t device_type:chr_file read_chr_file_perms;
-dontaudit portage_t device_type:blk_file read_blk_file_perms;
')
##########################################
--
2.13.6
Added unused parameters and marked them as unused in the interfaces
listed below.
setroubleshoot.if:setroubleshoot_admin()
tftp.if:tftp_admin()
Signed-off-by: James Carter <[email protected]>
---
setroubleshoot.if | 5 +++++
tftp.if | 5 +++++
2 files changed, 10 insertions(+)
diff --git a/setroubleshoot.if b/setroubleshoot.if
index 800b545..f7d788b 100644
--- a/setroubleshoot.if
+++ b/setroubleshoot.if
@@ -133,6 +133,11 @@ interface(`setroubleshoot_dbus_chat_fixit',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role" unused="true">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`setroubleshoot_admin',`
diff --git a/tftp.if b/tftp.if
index 9957e30..dae82eb 100644
--- a/tftp.if
+++ b/tftp.if
@@ -156,6 +156,11 @@ interface(`tftp_filetrans_tftpdir',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="role" unused="true">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
## <rolecap/>
#
interface(`tftp_admin',`
--
2.13.6
The type httpd_t is actually declared in apache.te.
Created apache.if:apache_rw_stream_sockets() which allows
reading and writing unix domain stream sockets labeled httpd_t.
Modified mojomojo.te to use the new interface instead of
This is needed by the module mojomojo which had been referring to
httpd_t directly.
Signed-off-by: James Carter <[email protected]>
---
apache.if | 19 +++++++++++++++++++
mojomojo.te | 2 +-
2 files changed, 20 insertions(+), 1 deletion(-)
diff --git a/apache.if b/apache.if
index 135e2f5..94878d6 100644
--- a/apache.if
+++ b/apache.if
@@ -373,6 +373,25 @@ interface(`apache_dontaudit_rw_stream_sockets',`
########################################
## <summary>
+## Read and write httpd unix domain
+## stream sockets.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_rw_stream_sockets',`
+ gen_require(`
+ type httpd_t;
+ ')
+
+ allow $1 httpd_t:unix_stream_socket rw_stream_socket_perms;
+')
+
+########################################
+## <summary>
## Do not audit attempts to read and
## write httpd TCP sockets.
## </summary>
diff --git a/mojomojo.te b/mojomojo.te
index 8f4d477..ea853ce 100644
--- a/mojomojo.te
+++ b/mojomojo.te
@@ -12,7 +12,7 @@ apache_content_template(mojomojo)
# Local policy
#
-allow httpd_mojomojo_script_t httpd_t:unix_stream_socket rw_stream_socket_perms;
+apache_rw_stream_sockets(httpd_mojomojo_script_t)
corenet_sendrecv_smtp_client_packets(httpd_mojomojo_script_t)
corenet_tcp_connect_smtp_port(httpd_mojomojo_script_t)
--
2.13.6
Both shorewall_read_pid_files() and shorewall_rw_pid_files() use the
undeclared type shorewall_var_run_t. Removed statements referring to this
type and marked the interfaces as deprecated because they no longer do
anything useful.
Neither interface is called in the policy.
Signed-off-by: James Carter <[email protected]>
---
shorewall.if | 18 ++++--------------
1 file changed, 4 insertions(+), 14 deletions(-)
diff --git a/shorewall.if b/shorewall.if
index 108ce75..119ba27 100644
--- a/shorewall.if
+++ b/shorewall.if
@@ -62,38 +62,28 @@ interface(`shorewall_read_config',`
## <summary>
## Read shorewall pid files.
## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_read_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- read_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+ refpolicywarn(`$0($*) has been deprecated')
')
#######################################
## <summary>
## Read and write shorewall pid files.
## </summary>
-## <param name="domain">
+## <param name="domain" unused="true">
## <summary>
## Domain allowed access.
## </summary>
## </param>
#
interface(`shorewall_rw_pid_files',`
- gen_require(`
- type shorewall_var_run_t;
- ')
-
- files_search_pids($1)
- rw_files_pattern($1, shorewall_var_run_t, shorewall_var_run_t)
+ refpolicywarn(`$0($*) has been deprecated')
')
######################################
--
2.13.6
These interfaces are not being called in the policy.
dbus.if:dbus_send_all_session_bus()
Use session_bus_type instead of dbus_session_bus_type.
rabbitmq.if:rabbitmq_domtrans()
Use rabbitmq_epmd_t and rabbitmq_beam_t instead of rabbitmq_t
and rabbitmq_epmd_exec_t and rabbitmq_beam_exec_t instead of
rabbitmq_exec_t.
Signed-off-by: James Carter <[email protected]>
---
dbus.if | 2 +-
rabbitmq.if | 6 ++++--
2 files changed, 5 insertions(+), 3 deletions(-)
diff --git a/dbus.if b/dbus.if
index 317d3d8..552034d 100644
--- a/dbus.if
+++ b/dbus.if
@@ -248,7 +248,7 @@ interface(`dbus_send_all_session_bus',`
class dbus send_msg;
')
- allow $1 dbus_session_bus_type:dbus send_msg;
+ allow $1 session_bus_type:dbus send_msg;
')
#######################################
diff --git a/rabbitmq.if b/rabbitmq.if
index 53efd0d..854cd36 100644
--- a/rabbitmq.if
+++ b/rabbitmq.if
@@ -12,11 +12,13 @@
#
interface(`rabbitmq_domtrans',`
gen_require(`
- type rabbitmq_t, rabbitmq_exec_t;
+ type rabbitmq_epmd_t, rabbitmq_epmd_exec_t;
+ type rabbitmq_beam_t, rabbitmq_beam_exec_t;
')
corecmd_search_bin($1)
- domtrans_pattern($1, rabbitmq_exec_t, rabbitmq_t)
+ domtrans_pattern($1, rabbitmq_epmd_exec_t, rabbitmq_epmd_t)
+ domtrans_pattern($1, rabbitmq_beam_exec_t, rabbitmq_beam_t)
')
########################################
--
2.13.6
On 04/11/2018 02:56 PM, James Carter via refpolicy wrote:
> The first nine patches cause no change in the final kernel policy.
> The last four do because they fix interfaces that were always being
> removed because they required an undeclared identifier.
>
> Explanations for some of the patches.
>
> Patches 2 and 3:
> spt_lint.lua looks for calls that have too many or too few arguments and
> it parses the interface XML header looking for optional and unused
> parameters, so by marking parameters that are unused as unused it will
> not report a problem.
>
> Patches 5 and 6:
> spt_lint.lua will report a problem when a type is used in a module other
> than the one that it is declared in. Enforcing this helps reduce the
> amount of inter-module dependencies.
>
> Patches 7 - 9:
> These patches fix interfaces that are not used in the policy. This is why
> they do not change the final policy.
>
> Patches 10 - 13:
> These patches fix intefaces (or interface call) that are used in the policy.
> These do cause a change in the final policy.
Merged.
> James Carter (13):
> Remove unnecessary semicolons
> Mark unused parameter as unused
> Add unused parameter and mark as unused
> Remove use of undeclared attribute from portage.te
> Move use of httpd_t from mojomojo.te to apache.te
> Move use of sendmail_exec_t from sendmail.te to mta.te
> Fix typos in identifier names
> Remove undeclared identifiers from shorewall interfaces
> Fix interfaces that use an undeclared identifier
> Fix typos in identifier names
> Remove undeclared identifiers from interfaces
> Fix interfaces that use an undeclared identifier
> Removed call to deprecated interface xserver_manage_xdm_spool_files()
>
> accountsd.if | 2 +-
> alsa.te | 2 +-
> apache.if | 19 +++++++++++++++++++
> bugzilla.if | 2 +-
> ccs.if | 4 ++--
> cfengine.if | 4 ++--
> cobbler.if | 6 +++---
> cron.if | 4 ++--
> cups.if | 3 +--
> dbus.if | 2 +-
> devicekit.if | 2 +-
> djbdns.if | 4 ++--
> dspam.if | 4 ++--
> evolution.if | 2 +-
> firewalld.if | 4 ++--
> ftp.te | 2 +-
> kismet.if | 4 ++--
> lsm.if | 2 +-
> mojomojo.te | 2 +-
> mta.if | 19 +++++++++++++++++++
> obex.if | 2 +-
> plymouthd.if | 2 +-
> plymouthd.te | 1 -
> portage.te | 2 --
> qemu.te | 2 +-
> rabbitmq.if | 6 ++++--
> rpm.if | 4 ++--
> rsync.if | 2 +-
> samba.if | 3 +--
> samhain.if | 2 +-
> sectoolm.if | 2 +-
> sendmail.te | 3 ++-
> setroubleshoot.if | 5 +++++
> shorewall.if | 14 ++------------
> sosreport.if | 2 +-
> sssd.if | 4 ++--
> tftp.if | 9 +++++++--
> wm.if | 2 +-
> 38 files changed, 98 insertions(+), 62 deletions(-)
>
--
Chris PeBenito