2017-04-17 13:46:33

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.

Index: refpolicy-2.20170417/config/file_contexts.subs_dist
===================================================================
--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
+++ refpolicy-2.20170417/config/file_contexts.subs_dist
@@ -12,13 +12,14 @@
/lib /usr/lib
/lib32 /usr/lib
/lib64 /usr/lib
-/libx32 /usr/libx32
+/libx32 /usr/lib
/sbin /usr/sbin
/etc/init.d /etc/rc.d/init.d
/lib/systemd /usr/lib/systemd
/run/lock /var/lock
/usr/lib32 /usr/lib
/usr/lib64 /usr/lib
+/usr/libx32 /usr/lib
/usr/local/lib32 /usr/lib
/usr/local/lib64 /usr/lib
/usr/local/lib /usr/lib
Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
kernel_change_ring_buffer_level(dmesg_t)
kernel_list_proc(dmesg_t)
kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
# for when /usr is not mounted:
kernel_dontaudit_search_unlabeled(dmesg_t)

Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20170417/policy/modules/admin/netutils.te
@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
files_dontaudit_search_var(ping_t)

kernel_read_system_state(ping_t)
+dev_read_urand(ping_t)

auth_use_nsswitch(ping_t)

Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a

allow alsa_t alsa_home_t:file read_file_perms;

+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
+++ refpolicy-2.20170417/policy/modules/contrib/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
# Local policy
#

-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
allow backup_t self:process signal;
allow backup_t self:fifo_file rw_fifo_file_perms;
allow backup_t self:tcp_socket create_socket_perms;
Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v

kernel_read_kernel_sysctls(bitlbee_t)
kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)

corenet_all_recvfrom_unlabeled(bitlbee_t)
corenet_all_recvfrom_netlabel(bitlbee_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
allow dpkg_t self:msg { send receive };

allow dpkg_t dpkg_lock_t:file manage_file_perms;
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)

spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)

@@ -307,6 +309,10 @@ optional_policy(`
')

optional_policy(`
+ devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')

Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)

files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)

fs_getattr_all_fs(fetchmail_t)
Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel

kernel_read_ring_buffer(kerneloops_t)
kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)

domain_use_interactive_fds(kerneloops_t)

Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
locallogin_use_fds(loadkeys_t)

miscfiles_read_localization(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)

userdom_use_user_ttys(loadkeys_t)
userdom_list_user_home_content(loadkeys_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
+++ refpolicy-2.20170417/policy/modules/contrib/mon.if
@@ -1 +1,37 @@
## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+## dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+ gen_require(`
+ type mon_var_lib_t;
+ ')
+
+ dontaudit $1 mon_var_lib_t:dir search;
+')
+
+######################################
+## <summary>
+## dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit
+## </summary>
+## </param>
+#
+interface(`mon_dontaudit_fd_use',`
+ gen_require(`
+ type mon_t;
+ ')
+
+ dontaudit $1 mon_t:fd use;
+')
Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20170417/policy/modules/contrib/mon.te
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
files_read_etc_files(mon_t)
files_read_etc_runtime_files(mon_t)
files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)

fs_getattr_all_fs(mon_t)
fs_search_auto_mountpoints(mon_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170417/policy/modules/contrib/mta.te
@@ -324,6 +324,10 @@ optional_policy(`
')
')

+optional_policy(`
+ mon_dontaudit_fd_use(mta_user_agent)
+')
+
########################################
#
# Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
')

optional_policy(`
+ mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
postfix_rw_inherited_master_pipes(mailserver_delivery)
')

Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
+++ refpolicy-2.20170417/policy/modules/contrib/munin.te
@@ -386,6 +386,7 @@ optional_policy(`
#

allow system_munin_plugin_t self:udp_socket create_socket_perms;
+allow system_munin_plugin_t self:capability net_admin;

rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)

@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu

dev_read_sysfs(system_munin_plugin_t)
dev_read_urand(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)

domain_read_all_domains_state(system_munin_plugin_t)

Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
@@ -78,7 +78,7 @@ interface(`mysql_signal',`
type mysqld_t;
')

- allow $1 mysqld_t:process signal;
+ allow $1 mysqld_t:process { signal signull };
')

########################################
Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)

-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;

allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
files_list_non_auth_dirs(rsync_t)
files_read_non_auth_files(rsync_t)
files_read_non_auth_symlinks(rsync_t)
+ getattr_fifo_files_pattern(rsync_t, file_type, file_type)
+ getattr_sock_files_pattern(rsync_t, file_type, file_type)
auth_tunable_read_shadow(rsync_t)
')

Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)

miscfiles_read_localization(rtkit_daemon_t)

+selinux_getattr_fs(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
optional_policy(`
dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)

Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
files_read_etc_files(fsdaemon_t)
files_read_etc_runtime_files(fsdaemon_t)
files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)

fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
Index: refpolicy-2.20170417/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170417/policy/modules/system/fstools.te
@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
allow fsadm_t fsadm_run_t:file manage_file_perms;
files_pid_filetrans(fsadm_t, fsadm_run_t, dir)

+# for /run/mount/utab
+stat_mount_var_run(fsadm_t)
+
# log files
allow fsadm_t fsadm_log_t:dir setattr;
manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -208,6 +211,10 @@ optional_policy(`

optional_policy(`
udev_read_db(fsadm_t)
+
+ # Xen causes losetup to run with a presumably accidentally inherited
+ # file handle for /run/xen-hotplug/block
+ dontaudit_udev_pidfile_rw(fsadm_t)
')

optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170417/policy/modules/system/udev.if
@@ -301,6 +301,24 @@ interface(`udev_list_pids',`

########################################
## <summary>
+## dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+ gen_require(`
+ type udev_var_run_t;
+ ')
+
+ dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## udev pid directories
## </summary>


2017-04-17 16:39:46

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

Hi,

I think there is one more kernel interface call to skip before inserting the dev_read_kmsg(dmesg_t) call.

Regards,

Guido

On the 17th of April 2017 15:46:33 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>Put in libx32 subs entries that refer to directories with fc entries.
>
>Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
>dpkg-reconfigure.
>
>Some dontaudit rules for mta processes spawned by mon for notification.
>
>Lots of tiny changes that are obvious.
>
>Index: refpolicy-2.20170417/config/file_contexts.subs_dist
>===================================================================
>--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
>+++ refpolicy-2.20170417/config/file_contexts.subs_dist
>@@ -12,13 +12,14 @@
> /lib /usr/lib
> /lib32 /usr/lib
> /lib64 /usr/lib
>-/libx32 /usr/libx32
>+/libx32 /usr/lib
> /sbin /usr/sbin
> /etc/init.d /etc/rc.d/init.d
> /lib/systemd /usr/lib/systemd
> /run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
>+/usr/libx32 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
>Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
>+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
>@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
> kernel_change_ring_buffer_level(dmesg_t)
> kernel_list_proc(dmesg_t)
> kernel_read_proc_symlinks(dmesg_t)
>+dev_read_kmsg(dmesg_t)
>+
> # for when /usr is not mounted:
> kernel_dontaudit_search_unlabeled(dmesg_t)
>
>Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
>+++ refpolicy-2.20170417/policy/modules/admin/netutils.te
>@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
> files_dontaudit_search_var(ping_t)
>
> kernel_read_system_state(ping_t)
>+dev_read_urand(ping_t)
>
> auth_use_nsswitch(ping_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
>+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
>@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
>
> allow alsa_t alsa_home_t:file read_file_perms;
>
>+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
>+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
>+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
>+++ refpolicy-2.20170417/policy/modules/contrib/backup.te
>@@ -21,7 +21,7 @@ files_type(backup_store_t)
> # Local policy
> #
>
>-allow backup_t self:capability dac_override;
>+allow backup_t self:capability { chown dac_override fsetid };
> allow backup_t self:process signal;
> allow backup_t self:fifo_file rw_fifo_file_perms;
> allow backup_t self:tcp_socket create_socket_perms;
>Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
>+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
>@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
>
> kernel_read_kernel_sysctls(bitlbee_t)
> kernel_read_system_state(bitlbee_t)
>+kernel_read_crypto_sysctls(bitlbee_t)
>
> corenet_all_recvfrom_unlabeled(bitlbee_t)
> corenet_all_recvfrom_netlabel(bitlbee_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
>+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
>@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
> allow dpkg_t self:msg { send receive };
>
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
>+corecmd_bin_entry_type(dpkg_script_t)
>
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>
>@@ -307,6 +309,10 @@ optional_policy(`
> ')
>
> optional_policy(`
>+ devicekit_dbus_chat_power(dpkg_script_t)
>+')
>+
>+optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
>Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
>+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
>@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
>
> files_read_etc_runtime_files(fetchmail_t)
>+files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
>
> fs_getattr_all_fs(fetchmail_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
>+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
>@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
>
> kernel_read_ring_buffer(kerneloops_t)
> kernel_read_system_state(kerneloops_t)
>+dev_read_urand(kerneloops_t)
>
> domain_use_interactive_fds(kerneloops_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
>+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
>@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
> locallogin_use_fds(loadkeys_t)
>
> miscfiles_read_localization(loadkeys_t)
>+init_read_script_tmp_files(loadkeys_t)
>
> userdom_use_user_ttys(loadkeys_t)
> userdom_list_user_home_content(loadkeys_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
>+++ refpolicy-2.20170417/policy/modules/contrib/mon.if
>@@ -1 +1,37 @@
> ## <summary>mon network monitoring daemon.</summary>
>+
>+######################################
>+## <summary>
>+## dontaudit searching /var/lib/mon
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain to not audit
>+## </summary>
>+## </param>
>+#
>+interface(`mon_dontaudit_search_var_lib',`
>+ gen_require(`
>+ type mon_var_lib_t;
>+ ')
>+
>+ dontaudit $1 mon_var_lib_t:dir search;
>+')
>+
>+######################################
>+## <summary>
>+## dontaudit using an inherited fd from mon_t
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain to not audit
>+## </summary>
>+## </param>
>+#
>+interface(`mon_dontaudit_fd_use',`
>+ gen_require(`
>+ type mon_t;
>+ ')
>+
>+ dontaudit $1 mon_t:fd use;
>+')
>Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
>+++ refpolicy-2.20170417/policy/modules/contrib/mon.te
>@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
> files_read_etc_files(mon_t)
> files_read_etc_runtime_files(mon_t)
> files_read_usr_files(mon_t)
>+files_search_var_lib(mon_t)
>
> fs_getattr_all_fs(mon_t)
> fs_search_auto_mountpoints(mon_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
>+++ refpolicy-2.20170417/policy/modules/contrib/mta.te
>@@ -324,6 +324,10 @@ optional_policy(`
> ')
> ')
>
>+optional_policy(`
>+ mon_dontaudit_fd_use(mta_user_agent)
>+')
>+
> ########################################
> #
> # Mailserver delivery local policy
>@@ -379,6 +383,10 @@ optional_policy(`
> ')
>
> optional_policy(`
>+ mon_dontaudit_search_var_lib(mailserver_delivery)
>+')
>+
>+optional_policy(`
> postfix_rw_inherited_master_pipes(mailserver_delivery)
> ')
>
>Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
>+++ refpolicy-2.20170417/policy/modules/contrib/munin.te
>@@ -386,6 +386,7 @@ optional_policy(`
> #
>
> allow system_munin_plugin_t self:udp_socket create_socket_perms;
>+allow system_munin_plugin_t self:capability net_admin;
>
>rw_files_pattern(system_munin_plugin_t, munin_var_lib_t,
>munin_var_lib_t)
>
>@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
>
> dev_read_sysfs(system_munin_plugin_t)
> dev_read_urand(system_munin_plugin_t)
>+files_read_usr_files(system_munin_plugin_t)
>
> domain_read_all_domains_state(system_munin_plugin_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
>+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
>@@ -78,7 +78,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
>- allow $1 mysqld_t:process signal;
>+ allow $1 mysqld_t:process { signal signull };
> ')
>
> ########################################
>Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
>+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
>@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
> read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
> read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
>
>-allow ntpd_t ntpd_lock_t:file write_file_perms;
>+allow ntpd_t ntpd_lock_t:file rw_file_perms;
>
> allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
>+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
>@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> files_list_non_auth_dirs(rsync_t)
> files_read_non_auth_files(rsync_t)
> files_read_non_auth_symlinks(rsync_t)
>+ getattr_fifo_files_pattern(rsync_t, file_type, file_type)
>+ getattr_sock_files_pattern(rsync_t, file_type, file_type)
> auth_tunable_read_shadow(rsync_t)
> ')
>
>Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
>+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
>@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
>
> miscfiles_read_localization(rtkit_daemon_t)
>
>+selinux_getattr_fs(rtkit_daemon_t)
>+seutil_search_default_contexts(rtkit_daemon_t)
>+
> optional_policy(`
> dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
>
>Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
>+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
>@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
> files_read_etc_files(fsdaemon_t)
> files_read_etc_runtime_files(fsdaemon_t)
> files_read_usr_files(fsdaemon_t)
>+files_search_var_lib(fsdaemon_t)
>
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
>Index: refpolicy-2.20170417/policy/modules/system/fstools.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
>+++ refpolicy-2.20170417/policy/modules/system/fstools.te
>@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> allow fsadm_t fsadm_run_t:file manage_file_perms;
> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>
>+# for /run/mount/utab
>+stat_mount_var_run(fsadm_t)
>+
> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
>@@ -208,6 +211,10 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(fsadm_t)
>+
>+ # Xen causes losetup to run with a presumably accidentally inherited
>+ # file handle for /run/xen-hotplug/block
>+ dontaudit_udev_pidfile_rw(fsadm_t)
> ')
>
> optional_policy(`
>Index: refpolicy-2.20170417/policy/modules/system/udev.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/udev.if
>+++ refpolicy-2.20170417/policy/modules/system/udev.if
>@@ -301,6 +301,24 @@ interface(`udev_list_pids',`
>
> ########################################
> ## <summary>
>+## dontaudit attempts to read/write udev pidfiles
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`dontaudit_udev_pidfile_rw',`
>+ gen_require(`
>+ type udev_var_run_t;
>+ ')
>+
>+ dontaudit $1 udev_var_run_t:file { read write };
>+')
>+
>+########################################
>+## <summary>
> ## Create, read, write, and delete
> ## udev pid directories
> ## </summary>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-19 00:38:36

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:
> Put in libx32 subs entries that refer to directories with fc entries.
>
> Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
> dpkg-reconfigure.
>
> Some dontaudit rules for mta processes spawned by mon for notification.
>
> Lots of tiny changes that are obvious.

Merged with some line moving and a few notes (following)


> Index: refpolicy-2.20170417/config/file_contexts.subs_dist
> ===================================================================
> --- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
> +++ refpolicy-2.20170417/config/file_contexts.subs_dist
> @@ -12,13 +12,14 @@
> /lib /usr/lib
> /lib32 /usr/lib
> /lib64 /usr/lib
> -/libx32 /usr/libx32
> +/libx32 /usr/lib
> /sbin /usr/sbin
> /etc/init.d /etc/rc.d/init.d
> /lib/systemd /usr/lib/systemd
> /run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
> +/usr/libx32 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
> Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
> +++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
> @@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
> kernel_change_ring_buffer_level(dmesg_t)
> kernel_list_proc(dmesg_t)
> kernel_read_proc_symlinks(dmesg_t)
> +dev_read_kmsg(dmesg_t)
> +
> # for when /usr is not mounted:
> kernel_dontaudit_search_unlabeled(dmesg_t)
>
> Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20170417/policy/modules/admin/netutils.te
> @@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
> files_dontaudit_search_var(ping_t)
>
> kernel_read_system_state(ping_t)
> +dev_read_urand(ping_t)
>
> auth_use_nsswitch(ping_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
> +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
> @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
>
> allow alsa_t alsa_home_t:file read_file_perms;
>
> +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
> +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)

This doesn't seem to fit since /var/lock/asound\.state\.lock is the only
lockfile. How is the locking changing?

> list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
> +++ refpolicy-2.20170417/policy/modules/contrib/backup.te
> @@ -21,7 +21,7 @@ files_type(backup_store_t)
> # Local policy
> #
>
> -allow backup_t self:capability dac_override;
> +allow backup_t self:capability { chown dac_override fsetid };
> allow backup_t self:process signal;
> allow backup_t self:fifo_file rw_fifo_file_perms;
> allow backup_t self:tcp_socket create_socket_perms;
> Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
> +++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> @@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
>
> kernel_read_kernel_sysctls(bitlbee_t)
> kernel_read_system_state(bitlbee_t)
> +kernel_read_crypto_sysctls(bitlbee_t)
>
> corenet_all_recvfrom_unlabeled(bitlbee_t)
> corenet_all_recvfrom_netlabel(bitlbee_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> @@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
> allow dpkg_t self:msg { send receive };
>
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
> +corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
> +corecmd_bin_entry_type(dpkg_script_t)
>
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>
> @@ -307,6 +309,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_chat_power(dpkg_script_t)
> +')
> +
> +optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
> +++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
>
> files_read_etc_runtime_files(fetchmail_t)
> +files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
>
> fs_getattr_all_fs(fetchmail_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> @@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
>
> kernel_read_ring_buffer(kerneloops_t)
> kernel_read_system_state(kerneloops_t)
> +dev_read_urand(kerneloops_t)
>
> domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
> +++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> @@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
> locallogin_use_fds(loadkeys_t)
>
> miscfiles_read_localization(loadkeys_t)
> +init_read_script_tmp_files(loadkeys_t)
>
> userdom_use_user_ttys(loadkeys_t)
> userdom_list_user_home_content(loadkeys_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.if
> @@ -1 +1,37 @@
> ## <summary>mon network monitoring daemon.</summary>
> +
> +######################################
> +## <summary>
> +## dontaudit searching /var/lib/mon
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit
> +## </summary>
> +## </param>
> +#
> +interface(`mon_dontaudit_search_var_lib',`
> + gen_require(`
> + type mon_var_lib_t;
> + ')
> +
> + dontaudit $1 mon_var_lib_t:dir search;
> +')
> +
> +######################################
> +## <summary>
> +## dontaudit using an inherited fd from mon_t
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit
> +## </summary>
> +## </param>
> +#
> +interface(`mon_dontaudit_fd_use',`
> + gen_require(`
> + type mon_t;
> + ')
> +
> + dontaudit $1 mon_t:fd use;
> +')
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.te
> @@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
> files_read_etc_files(mon_t)
> files_read_etc_runtime_files(mon_t)
> files_read_usr_files(mon_t)
> +files_search_var_lib(mon_t)
>
> fs_getattr_all_fs(mon_t)
> fs_search_auto_mountpoints(mon_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mta.te
> @@ -324,6 +324,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + mon_dontaudit_fd_use(mta_user_agent)
> +')
> +
> ########################################
> #
> # Mailserver delivery local policy
> @@ -379,6 +383,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mon_dontaudit_search_var_lib(mailserver_delivery)
> +')
> +
> +optional_policy(`
> postfix_rw_inherited_master_pipes(mailserver_delivery)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
> +++ refpolicy-2.20170417/policy/modules/contrib/munin.te
> @@ -386,6 +386,7 @@ optional_policy(`
> #
>
> allow system_munin_plugin_t self:udp_socket create_socket_perms;
> +allow system_munin_plugin_t self:capability net_admin;
>
> rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
>
> @@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
>
> dev_read_sysfs(system_munin_plugin_t)
> dev_read_urand(system_munin_plugin_t)
> +files_read_usr_files(system_munin_plugin_t)
>
> domain_read_all_domains_state(system_munin_plugin_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
> @@ -78,7 +78,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
> - allow $1 mysqld_t:process signal;
> + allow $1 mysqld_t:process { signal signull };

I'd prefer a separate interface. Dropped since I can't determine which
domain(s) would call the new interface.

> ')
>
> ########################################
> Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
> @@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
> read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
> read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
>
> -allow ntpd_t ntpd_lock_t:file write_file_perms;
> +allow ntpd_t ntpd_lock_t:file rw_file_perms;
>
> allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
> @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> files_list_non_auth_dirs(rsync_t)
> files_read_non_auth_files(rsync_t)
> files_read_non_auth_symlinks(rsync_t)
> + getattr_fifo_files_pattern(rsync_t, file_type, file_type)
> + getattr_sock_files_pattern(rsync_t, file_type, file_type)

Dropped due to encapsulation problem (needs to use interfaces)

> auth_tunable_read_shadow(rsync_t)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> @@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
>
> miscfiles_read_localization(rtkit_daemon_t)
>
> +selinux_getattr_fs(rtkit_daemon_t)
> +seutil_search_default_contexts(rtkit_daemon_t)
> +
> optional_policy(`
> dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> @@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
> files_read_etc_files(fsdaemon_t)
> files_read_etc_runtime_files(fsdaemon_t)
> files_read_usr_files(fsdaemon_t)
> +files_search_var_lib(fsdaemon_t)
>
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
> Index: refpolicy-2.20170417/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170417/policy/modules/system/fstools.te
> @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> allow fsadm_t fsadm_run_t:file manage_file_perms;
> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>
> +# for /run/mount/utab
> +stat_mount_var_run(fsadm_t)

Doesn't exist (and incorrect interface name)


> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
> @@ -208,6 +211,10 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(fsadm_t)
> +
> + # Xen causes losetup to run with a presumably accidentally inherited
> + # file handle for /run/xen-hotplug/block
> + dontaudit_udev_pidfile_rw(fsadm_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170417/policy/modules/system/udev.if
> @@ -301,6 +301,24 @@ interface(`udev_list_pids',`
>
> ########################################
> ## <summary>
> +## dontaudit attempts to read/write udev pidfiles
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dontaudit_udev_pidfile_rw',`

Renamed

> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + dontaudit $1 udev_var_run_t:file { read write };
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## udev pid directories
> ## </summary>



--
Chris PeBenito

2017-04-19 04:47:50

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

On Wed, 19 Apr 2017 10:38:36 AM Chris PeBenito wrote:
> On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:
> > Put in libx32 subs entries that refer to directories with fc entries.
> >
> > Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
> > dpkg-reconfigure.
> >
> > Some dontaudit rules for mta processes spawned by mon for notification.
> >
> > Lots of tiny changes that are obvious.
>
> Merged with some line moving and a few notes (following)

Thanks.

> > --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
> > +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
> > @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
> >
> > allow alsa_t alsa_home_t:file read_file_perms;
> >
> > +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
> > +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> > +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
>
> This doesn't seem to fit since /var/lock/asound\.state\.lock is the only
> lockfile. How is the locking changing?

I can't remember. With things like this if you think it shouldn't be in there
just drop them and I'll do further investigation. For all I know the latest
version of the alsa utilities might not even require such access any more.

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
> > +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
> > @@ -78,7 +78,7 @@ interface(`mysql_signal',`
> >
> > type mysqld_t;
> >
> > ')
> >
> > - allow $1 mysqld_t:process signal;
> > + allow $1 mysqld_t:process { signal signull };
>
> I'd prefer a separate interface. Dropped since I can't determine which
> domain(s) would call the new interface.

In what situation could it be reasonable to allow signal access without
allowing signull? It's like permitting file read write but not getattr, sure
you can make access finer grained, but is there any point?

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
> > +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
> > @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> >
> > files_list_non_auth_dirs(rsync_t)
> > files_read_non_auth_files(rsync_t)
> > files_read_non_auth_symlinks(rsync_t)
> >
> > + getattr_fifo_files_pattern(rsync_t, file_type, file_type)
> > + getattr_sock_files_pattern(rsync_t, file_type, file_type)
>
> Dropped due to encapsulation problem (needs to use interfaces)

OK, I'll make a new patch for this.

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
> > +++ refpolicy-2.20170417/policy/modules/system/fstools.te
> > @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> >
> > allow fsadm_t fsadm_run_t:file manage_file_perms;
> > files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
> >
> > +# for /run/mount/utab
> > +stat_mount_var_run(fsadm_t)
>
> Doesn't exist (and incorrect interface name)

Does on Debian. Should I put it in a ifdef distro_debian? What would be the
correct interface name?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/

2017-04-20 22:24:05

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

On 04/19/2017 12:47 AM, Russell Coker wrote:
> On Wed, 19 Apr 2017 10:38:36 AM Chris PeBenito wrote:
>> On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:

>>>
>>> allow fsadm_t fsadm_run_t:file manage_file_perms;
>>> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>>>
>>> +# for /run/mount/utab
>>> +stat_mount_var_run(fsadm_t)
>>
>> Doesn't exist (and incorrect interface name)
>
> Does on Debian. Should I put it in a ifdef distro_debian? What would be the
> correct interface name?

I'm not sure what the interface does to suggest a name other than the
name starts with the module's name (i.e. stat isn't a module).
Regardless, I can't have a call to a nonexistent interface upstream in
any case.

--
Chris PeBenito

2017-04-21 05:35:53

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] misc daemons

On Fri, 21 Apr 2017 08:24:05 AM Chris PeBenito via refpolicy wrote:
> >>> +# for /run/mount/utab
> >>> +stat_mount_var_run(fsadm_t)
> >>
> >> Doesn't exist (and incorrect interface name)
> >
> > Does on Debian. Should I put it in a ifdef distro_debian? What would be
> > the correct interface name?
>
> I'm not sure what the interface does to suggest a name other than the
> name starts with the module's name (i.e. stat isn't a module).
> Regardless, I can't have a call to a nonexistent interface upstream in
> any case.

Sorry I thought you meand that the file /run/mount/utab didn't exist.

I've added that policy to a later patch with a better interface name.

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/