From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 18 Feb 2017 08:58:18 -0500 Subject: [refpolicy] [PATCH] little misc patches 2 In-Reply-To: <20170216134001.rosoqrzfqerviexz@athena.coker.com.au> References: <20170216134001.rosoqrzfqerviexz@athena.coker.com.au> Message-ID: <676a7924-9d83-4b8b-2cdb-8ecf200c00b8@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/16/17 08:40, Russell Coker via refpolicy wrote: > Here's version 2 of the little misc patch with all the requested changes. Merged, with a couple tweaks: > Index: refpolicy-2.20170216/policy/modules/system/init.fc > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/init.fc > +++ refpolicy-2.20170216/policy/modules/system/init.fc > @@ -34,7 +34,6 @@ ifdef(`distro_gentoo', ` > /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0) > ') > > - > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > > @@ -42,6 +41,7 @@ ifdef(`distro_gentoo', ` > /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0) Moved this up. > ifdef(`distro_gentoo', ` > /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0) > Index: refpolicy-2.20170216/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/logging.te > +++ refpolicy-2.20170216/policy/modules/system/logging.te > @@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t) > > init_dontaudit_use_fds(auditctl_t) > > -locallogin_dontaudit_use_fds(auditctl_t) > - > logging_set_audit_parameters(auditctl_t) > logging_send_syslog_msg(auditctl_t) > > @@ -133,6 +131,10 @@ ifdef(`init_systemd',` > init_rw_stream_sockets(auditctl_t) > ') > > +optional_policy(` > + locallogin_dontaudit_use_fds(auditctl_t) > +') > + > ######################################## > # > # Auditd local policy > @@ -373,8 +375,8 @@ optional_policy(` > # sys_admin for the integrated klog of syslog-ng and metalog > # sys_nice for rsyslog > # cjp: why net_admin! > -allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config }; > -dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config }; > +allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config }; > +dontaudit syslogd_t self:capability { sys_ptrace }; > # setpgid for metalog > # setrlimit for syslog-ng > # getsched for syslog-ng > @@ -565,6 +567,8 @@ optional_policy(` > > optional_policy(` > udev_read_db(syslogd_t) > + # for systemd-journal to read seat data from /run/udev/data > + udev_read_pid_files(syslogd_t) > ') > > optional_policy(` > Index: refpolicy-2.20170216/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20170216/policy/modules/system/lvm.te > @@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t) > init_use_script_ptys(lvm_t) > init_read_script_state(lvm_t) > > +# for systemd-cryptsetup > +dev_write_kmsg(lvm_t) > + > logging_send_syslog_msg(lvm_t) > > miscfiles_read_localization(lvm_t) > Index: refpolicy-2.20170216/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20170216/policy/modules/system/selinuxutil.te > @@ -343,8 +343,6 @@ files_relabel_non_auth_files(restorecond > files_read_non_auth_files(restorecond_t) > auth_use_nsswitch(restorecond_t) > > -locallogin_dontaudit_use_fds(restorecond_t) > - > logging_send_syslog_msg(restorecond_t) > > miscfiles_read_localization(restorecond_t) > @@ -358,6 +356,10 @@ ifdef(`distro_ubuntu',` > ') > > optional_policy(` > + locallogin_dontaudit_use_fds(restorecond_t) > +') > + > +optional_policy(` > rpm_use_script_fds(restorecond_t) > ') > > @@ -482,8 +484,6 @@ term_use_all_terms(semanage_t) > # Running genhomedircon requires this for finding all users > auth_use_nsswitch(semanage_t) > > -locallogin_use_fds(semanage_t) > - > logging_send_syslog_msg(semanage_t) > > miscfiles_read_localization(semanage_t) > @@ -516,6 +516,10 @@ ifdef(`distro_ubuntu',` > ') > ') > > +optional_policy(` > + locallogin_use_fds(semanage_t) > +') > + > ######################################## > # > # Setfiles local policy > Index: refpolicy-2.20170216/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20170216/policy/modules/system/sysnetwork.te > @@ -145,8 +145,6 @@ logging_send_syslog_msg(dhcpc_t) > > miscfiles_read_localization(dhcpc_t) > > -modutils_run_insmod(dhcpc_t, dhcpc_roles) > - > sysnet_run_ifconfig(dhcpc_t, dhcpc_roles) > > userdom_use_user_terminals(dhcpc_t) > @@ -205,6 +203,10 @@ optional_policy(` > ') > ') > > +optional_policy(` > + modutils_run_insmod(dhcpc_t, dhcpc_roles) > +') > + > # for the dhcp client to run ping to check IP addresses > optional_policy(` > netutils_run_ping(dhcpc_t, dhcpc_roles) > @@ -333,8 +335,6 @@ logging_send_syslog_msg(ifconfig_t) > > miscfiles_read_localization(ifconfig_t) > > -modutils_domtrans_insmod(ifconfig_t) > - > seutil_use_runinit_fds(ifconfig_t) > > sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t) > @@ -377,6 +377,10 @@ optional_policy(` > ') > > optional_policy(` > + modutils_domtrans_insmod(ifconfig_t) > +') > + > +optional_policy(` > nis_use_ypbind(ifconfig_t) > ') > > Index: refpolicy-2.20170216/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/init.te > +++ refpolicy-2.20170216/policy/modules/system/init.te > @@ -309,7 +309,9 @@ ifdef(`init_systemd',` > ',` > # Run the shell in the sysadm role for single-user mode. > # causes problems with upstart > - sysadm_shell_domtrans(init_t) > + ifndef(`distro_debian',` > + sysadm_shell_domtrans(init_t) > + ') > ') > ') > > @@ -563,9 +565,6 @@ miscfiles_read_localization(initrc_t) > # slapd needs to read cert files from its initscript > miscfiles_read_generic_certs(initrc_t) > > -modutils_read_module_config(initrc_t) > -modutils_domtrans_insmod(initrc_t) > - > seutil_read_config(initrc_t) > > userdom_read_user_home_content_files(initrc_t) > @@ -955,6 +954,11 @@ optional_policy(` > ') > > optional_policy(` > + modutils_read_module_config(initrc_t) > + modutils_domtrans_insmod(initrc_t) > +') > + > +optional_policy(` > mta_read_config(initrc_t) > mta_dontaudit_read_spool_symlinks(initrc_t) > ') > Index: refpolicy-2.20170216/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/system/udev.te > +++ refpolicy-2.20170216/policy/modules/system/udev.te > @@ -125,6 +125,7 @@ files_search_mnt(udev_t) > > fs_getattr_all_fs(udev_t) > fs_list_inotifyfs(udev_t) > +fs_read_cgroup_files(udev_t) > fs_rw_anon_inodefs_files(udev_t) > > mcs_ptrace_all(udev_t) > Index: refpolicy-2.20170216/policy/modules/contrib/kerneloops.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/contrib/kerneloops.te > +++ refpolicy-2.20170216/policy/modules/contrib/kerneloops.te > @@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne > files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file) > > kernel_read_ring_buffer(kerneloops_t) > +kernel_read_system_state(kerneloops_t) > > domain_use_interactive_fds(kerneloops_t) > > Index: refpolicy-2.20170216/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20170216/policy/modules/services/xserver.if > @@ -934,6 +934,27 @@ interface(`xserver_create_xdm_tmp_socket > > ######################################## > ## > +## Unlink a named socket in a XDM > +## temporary directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`xserver_unlink_xdm_tmp_sockets',` > + gen_require(` > + type xdm_tmp_t; > + ') > + > + files_search_tmp($1) > + allow $1 xdm_tmp_t:dir list_dir_perms; > + allow $1 xdm_tmp_t:sock_file unlink; > +') Renamed this interface and put in delete_sock_files_pattern(). > +######################################## > +## > ## Read XDM pid files. > ## > ## > Index: refpolicy-2.20170216/policy/modules/kernel/files.te > =================================================================== > --- refpolicy-2.20170216.orig/policy/modules/kernel/files.te > +++ refpolicy-2.20170216/policy/modules/kernel/files.te > @@ -11,6 +11,7 @@ attribute lockfile; > attribute mountpoint; > attribute pidfile; > attribute configfile; > +attribute spoolfile; > > # For labeling types that are to be polyinstantiated > attribute polydir; > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy > -- Chris PeBenito