This patch allows setfiles to use file handles inherited from apt (for dpkg
postinst scripts), adds those rsync permissions that were rejected previously
due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
allows system_cronjob_t some access it requires (including net_admin for
when it runs utilities that set buffers).
Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
@@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ apt_use_fds(setfiles_t)
+')
+
+optional_policy(`
hotplug_use_fds(setfiles_t)
')
Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
@@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
fs_getattr_all_fs(rsync_t)
fs_search_auto_mountpoints(rsync_t)
+files_getattr_all_pipes(rsync_t)
+files_getattr_all_sockets(rsync_t)
files_search_home(rsync_t)
auth_can_read_shadow_passwords(rsync_t)
Index: refpolicy-2.20170421/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170421/policy/modules/system/fstools.te
@@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)
miscfiles_read_localization(fsadm_t)
+# for /run/mount/utab
+mount_getattr_runfile(fsadm_t)
+
# losetup: bind mount_loopback_t files to loop devices
mount_rw_loopback_files(fsadm_t)
Index: refpolicy-2.20170421/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/system/mount.if
+++ refpolicy-2.20170421/policy/modules/system/mount.if
@@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
')
+########################################
+## <summary>
+## Getattr on mount_var_run_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_getattr_runfile',`
+ gen_require(`
+ type mount_var_run_t;
+ ')
+
+ allow $1 mount_var_run_t:file getattr;
+')
Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
+++ refpolicy-2.20170421/policy/modules/contrib/cron.te
@@ -336,6 +336,23 @@ ifdef(`distro_debian',`
optional_policy(`
logwatch_search_cache_dir(crond_t)
')
+ optional_policy(`
+ apt_manage_cache(system_cronjob_t)
+ apt_read_db(system_cronjob_t)
+ dpkg_manage_db(system_cronjob_t)
+ ')
+')
+
+optional_policy(`
+ acct_manage_data(system_cronjob_t)
+')
+
+optional_policy(`
+ ntp_admin(system_cronjob_t, system_r)
+')
+
+optional_policy(`
+ apache_delete_lib_files(system_cronjob_t)
')
ifdef(`distro_redhat',`
@@ -425,6 +442,7 @@ optional_policy(`
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
+ init_manage_script_service(system_cronjob_t)
')
optional_policy(`
@@ -436,14 +454,15 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
allow system_cronjob_t self:process { signal_perms getsched setsched };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
-allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
+allow system_cronjob_t cron_log_t:file manage_file_perms;
logging_log_filetrans(system_cronjob_t, cron_log_t, file)
+logging_manage_generic_logs(system_cronjob_t)
allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
@@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
-files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
+files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
+allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
@@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
allow system_cronjob_t cron_spool_t:dir list_dir_perms;
allow system_cronjob_t cron_spool_t:file rw_file_perms;
-allow system_cronjob_t crond_tmp_t:file { read write };
+allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
+allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
@@ -563,6 +584,10 @@ optional_policy(`
')
optional_policy(`
+ read_mrtg_etc(system_cronjob_t)
+')
+
+optional_policy(`
cyrus_manage_data(system_cronjob_t)
')
Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
+++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
@@ -2,6 +2,24 @@
########################################
## <summary>
+## Read mrtg configuration
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`read_mrtg_etc',`
+ gen_require(`
+ type mrtg_etc_t;
+ ')
+
+ allow $1 mrtg_etc_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create and append mrtg log files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
===================================================================
--- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
+++ refpolicy-2.20170421/policy/modules/contrib/apt.if
@@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
## </summary>
## </param>
#
+interface(`apt_manage_cache',`
+ gen_require(`
+ type apt_var_cache_t;
+ ')
+
+ files_search_var($1)
+ allow $1 apt_var_cache_t:dir manage_dir_perms;
+ allow $1 apt_var_cache_t:file manage_file_perms;
+')
+
+########################################
+## <summary>
+## Read apt package cache content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
interface(`apt_read_cache',`
gen_require(`
type apt_var_cache_t;
On 04/26/2017 12:23 PM, Russell Coker via refpolicy wrote:
> This patch allows setfiles to use file handles inherited from apt (for dpkg
> postinst scripts), adds those rsync permissions that were rejected previously
> due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
> allows system_cronjob_t some access it requires (including net_admin for
> when it runs utilities that set buffers).
I took almost everything, but there was a lot of moving in cron. There
are a couple notes:
> Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> @@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + apt_use_fds(setfiles_t)
> +')
> +
> +optional_policy(`
> hotplug_use_fds(setfiles_t)
> ')
> Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
> @@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
> fs_getattr_all_fs(rsync_t)
> fs_search_auto_mountpoints(rsync_t)
>
> +files_getattr_all_pipes(rsync_t)
> +files_getattr_all_sockets(rsync_t)
> files_search_home(rsync_t)
>
> auth_can_read_shadow_passwords(rsync_t)
> Index: refpolicy-2.20170421/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170421/policy/modules/system/fstools.te
> @@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)
>
> miscfiles_read_localization(fsadm_t)
>
> +# for /run/mount/utab
> +mount_getattr_runfile(fsadm_t)
> +
> # losetup: bind mount_loopback_t files to loop devices
> mount_rw_loopback_files(fsadm_t)
>
> Index: refpolicy-2.20170421/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20170421/policy/modules/system/mount.if
> @@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
> rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
> ')
>
> +########################################
> +## <summary>
> +## Getattr on mount_var_run_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_getattr_runfile',`
> + gen_require(`
> + type mount_var_run_t;
> + ')
> +
> + allow $1 mount_var_run_t:file getattr;
> +')
> Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170421/policy/modules/contrib/cron.te
> @@ -336,6 +336,23 @@ ifdef(`distro_debian',`
> optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> + optional_policy(`
> + apt_manage_cache(system_cronjob_t)
> + apt_read_db(system_cronjob_t)
> + dpkg_manage_db(system_cronjob_t)
> + ')
> +')
> +
> +optional_policy(`
> + acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> + ntp_admin(system_cronjob_t, system_r)
The admin interfaces aren't intended to be used like this.
> +')
> +
> +optional_policy(`
> + apache_delete_lib_files(system_cronjob_t)
> ')
>
> ifdef(`distro_redhat',`
> @@ -425,6 +442,7 @@ optional_policy(`
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> + init_manage_script_service(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -436,14 +454,15 @@ optional_policy(`
> # System local policy
> #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> allow system_cronjob_t self:process { signal_perms getsched setsched };
> allow system_cronjob_t self:fd use;
> allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
> allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;
I'm skeptical of this because then a rogue cronjob can destroy some
evidence of what it's doing.
> logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)
Why is this needed? The same comment also applies as above.
> allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
> files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
> manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
> filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
> +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
>
> manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
> allow system_cronjob_t cron_spool_t:dir list_dir_perms;
> allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> @@ -563,6 +584,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
> cyrus_manage_data(system_cronjob_t)
> ')
>
> Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
> +++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> @@ -2,6 +2,24 @@
>
> ########################################
> ## <summary>
> +## Read mrtg configuration
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`read_mrtg_etc',`
> + gen_require(`
> + type mrtg_etc_t;
> + ')
> +
> + allow $1 mrtg_etc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create and append mrtg log files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
> +++ refpolicy-2.20170421/policy/modules/contrib/apt.if
> @@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
> ## </summary>
> ## </param>
> #
> +interface(`apt_manage_cache',`
> + gen_require(`
> + type apt_var_cache_t;
> + ')
> +
> + files_search_var($1)
> + allow $1 apt_var_cache_t:dir manage_dir_perms;
> + allow $1 apt_var_cache_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Read apt package cache content.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> interface(`apt_read_cache',`
> gen_require(`
> type apt_var_cache_t;
--
Chris PeBenito