From: russell@coker.com.au (Russell Coker) Date: Thu, 16 Feb 2017 22:57:23 +1100 Subject: [refpolicy] [PATCH] little misc patches In-Reply-To: References: <20170212113832.h4damrekbuv6d4xn@athena.coker.com.au> Message-ID: <201702162257.23717.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Mon, 13 Feb 2017 06:25:20 AM Chris PeBenito via refpolicy wrote: > > @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', ` > > > > /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > > /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s > > 0) /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > > > > +/usr/sbin/startx -- gen_context(system_u:object_r:initrc_exec_t,s0) > > This doesn't seem right. Then if you don't have XDM, regular users > can't run startx. Can they run startx anyway? I don't expect it to work but haven't tested it. Anyway I removed that from my tree as it probably wouldn't work either. ;) > > --- refpolicy-2.20170212.orig/policy/modules/system/logging.te > > +++ refpolicy-2.20170212/policy/modules/system/logging.te > > @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t) > > > > init_dontaudit_use_fds(auditctl_t) > > > > -locallogin_dontaudit_use_fds(auditctl_t) > > +optional_policy(` > > + locallogin_dontaudit_use_fds(auditctl_t) > > +') > > This new optional should be moved down with the other auditctl_t ones, > above the mta_send_mail(). That's an auditd_t optional. But in any case I moved the auditctl_t one to the bottom of it's section. > > -locallogin_dontaudit_use_fds(restorecond_t) > > +optional_policy(` > > + locallogin_dontaudit_use_fds(restorecond_t) > > +') > > This optional should move down to the above the optional with > rpm_use_script_fds(). OK. > > -locallogin_use_fds(semanage_t) > > +optional_policy(` > > + locallogin_use_fds(semanage_t) > > +') > > This new optional should go down after the distro_ubuntu block. OK. > > -modutils_run_insmod(dhcpc_t, dhcpc_roles) > > +optional_policy(` > > + modutils_run_insmod(dhcpc_t, dhcpc_roles) > > +') > > This new optional should go down above the netutil_run*(dhcpc_t) > optional block. OK. > > -modutils_domtrans_insmod(ifconfig_t) > > +optional_policy(` > > + modutils_domtrans_insmod(ifconfig_t) > > +') > > This new optional should go down after the ipsec_*() optional block. OK. > > - ',` > > - # Run the shell in the sysadm role for single-user mode. > > - # causes problems with upstart > > - sysadm_shell_domtrans(init_t) > > I don't think we want to remove this, as it will impact sysvinit, which > Gentoo still uses. Does Gentoo have systemd working? I've added ifndef(`distro_debian' around it. That gives it clear function and clear intent for the next people who want to work on it. > > -modutils_read_module_config(initrc_t) > > -modutils_domtrans_insmod(initrc_t) > > +optional_policy(` > > + modutils_read_module_config(initrc_t) > > + modutils_domtrans_insmod(initrc_t) > > +') > > This new optional should much farther down, between the mailman and mta > optional blocks. OK. > > +fs_read_cgroup_files(udev_t) > > The should go down with the other fs_* calls. OK > > +# systemd-udevd needs kernel_load_module > > +kernel_load_module(udev_t) > > This rule is already in, at the top of the hunk actually :) OK. > > +# for /bin/uname > > +corecmd_exec_bin(local_login_t) > > Why would /bin/login run uname? I can't reproduce it at this time. So I've removed it from my tree. > > @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket > > > > files_search_tmp($1) > > allow $1 xdm_tmp_t:dir list_dir_perms; > > create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t) > > > > + allow $1 xdm_tmp_t:sock_file unlink; > > This should be a new interface, as callers won't expect the unlink > access from a "create" interface. I've added a new interface. It has no callers yet as I didn't make a note of which domains needed to unlink it. I'm sure I'll find some in the next few days. ;) I'll send a new patch in a few minutes. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/