From: russell@coker.com.au (Russell Coker) Date: Thu, 16 Feb 2017 13:34:47 +1100 Subject: [refpolicy] [PATCH] dpkg related patches In-Reply-To: <6c6cbb82-985e-6e0a-d6e1-e28ea82886b7@ieee.org> References: <20170214064140.n6mlaf5ouruizi7i@athena.coker.com.au> <6c6cbb82-985e-6e0a-d6e1-e28ea82886b7@ieee.org> Message-ID: <201702161334.47987.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 16 Feb 2017 11:08:13 AM Chris PeBenito wrote: > > +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) > > +domain_entry_file(dpkg_script_t, dpkg_var_lib_t) > > What are these files? I don't know dpkg, but this seems odd. # ls -l /var/lib/dpkg/info/|grep rwx|head -rwxr-xr-x. 1 root root 614 Nov 27 08:28 accountsservice.postrm -rwxr-xr-x. 1 root root 184 Feb 7 2016 acl.postinst -rwxr-xr-x. 1 root root 165 Feb 7 2016 acl.postrm -rwxr-xr-x. 1 root root 2718 Sep 20 20:14 acpid.postinst -rwxr-xr-x. 1 root root 1614 Sep 20 20:14 acpid.postrm -rwxr-xr-x. 1 root root 1338 Sep 20 20:14 acpid.preinst -rwxr-xr-x. 1 root root 382 Sep 20 20:14 acpid.prerm -rwxr-xr-x. 1 root root 956 Sep 25 2015 acpi-fakekey.postinst -rwxr-xr-x. 1 root root 781 Sep 25 2015 acpi-fakekey.postrm -rwxr-xr-x. 1 root root 179 Sep 25 2015 acpi-fakekey.prerm Most Debian packages ship with scripts that are run before or after installation or removal. They are to run as dpkg_script_t. > > -modutils_run_depmod(dpkg_script_t, dpkg_roles) > > -modutils_run_insmod(dpkg_script_t, dpkg_roles) > > +optional_policy(` > > + dirmngr_service_manage(dpkg_script_t) > > +') > > + > > +optional_policy(` > > + modutils_run_depmod(dpkg_script_t, dpkg_roles) > > + modutils_run_insmod(dpkg_script_t, dpkg_roles) > > +') > > Please move down with the other dpkg_script_t optionals. OK.. > > +optional_policy(` > > + # for dpkg to create users > > + permit_in_unconfined_r(passwd_t) > > + unconfined_use_fds(passwd_t) > > +') > > I think what you're looking for is to replace the > usermanage_domtrans_passwd() with usermanage_run_passwd() with > dpkg_roles. That would fix the role association. OK. > > +interface(`init_script_service_restart',` > > init_restart_script_service() OK, but that means start and stop scripts won't necessarily be grouped when sorting alphabetically. > > +interface(`initrc_manage_service',` > > + gen_require(` > > + type initrc_exec_t; > > require class service { status start stop }; since that is a userspace > class. OK. > > --- refpolicy-2.20170214.orig/policy/modules/system/userdomain.te > > +++ refpolicy-2.20170214/policy/modules/system/userdomain.te > > @@ -70,6 +70,10 @@ attribute admindomain; > > > > # all user domains > > attribute userdomain; > > > > +ifdef(`distro_debian', ` > > + dpkg_read_db(userdomain) > > +') > > I think that putting this in the userdom_common_user_template() is > better, so that the base user template is kept thin. OK. > > +interface(`dev_null_manage_service',` > > Yuck. More systemd mess. Should be named dev_manage_null_service(). OK. > > + gen_require(` > > + type null_device_t; > > also require class service { status start stop reload }; since that is a > userspace class. OK. > > +interface(`dirmngr_service_manage',` > > + gen_require(` > > + type dirmngr_initrc_exec_t; > > + ') > > + > > + allow $1 dirmngr_initrc_exec_t:service { status start stop }; > > Please leverage the init_startstop_service() interface to handle most of > this which is intended to be init-agnostic I'll just drop that bit for now so we can get the rest merged. > > +interface(`systemd_logind_read_process_state',` > > Should be named systemd_read_logind_state(). OK. > > > > - clock_read_adjtime(init_t) > > + optional_policy(` > > + clock_read_adjtime(init_t) > > + ') > > This should be moved down in the ifdef block with the other init_t > optionals. OK. > > # init scripts touch this > > > > - clock_dontaudit_write_adjtime(initrc_t) > > + optional_policy(` > > + clock_dontaudit_write_adjtime(initrc_t) > > + ') > > Did you really intend to modify a Gentoo block? OK I'll revert that. I'll send you a new patch soon. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/