From: pebenito@ieee.org (Chris PeBenito) Date: Mon, 20 Feb 2017 10:27:45 -0500 Subject: [refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor In-Reply-To: <20170220054708.hwu4vkj5utyk5jly@athena.coker.com.au> References: <20170220054708.hwu4vkj5utyk5jly@athena.coker.com.au> Message-ID: <7bf84650-36bd-d4e3-6f0a-69562d6440a8@ieee.org> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/20/17 00:47, Russell Coker via refpolicy wrote: > All obvious and trivial patches. Please apply. > > Index: refpolicy-2.20170220/policy/modules/contrib/fetchmail.te > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/fetchmail.te > +++ refpolicy-2.20170220/policy/modules/contrib/fetchmail.te > @@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm > setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t) > logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file }) > > +allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms; > allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms; > mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file) > > Index: refpolicy-2.20170220/policy/modules/contrib/mysql.te > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/mysql.te > +++ refpolicy-2.20170220/policy/modules/contrib/mysql.te > @@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t > allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh }; > allow mysqld_t self:fifo_file rw_fifo_file_perms; > allow mysqld_t self:shm create_shm_perms; > -allow mysqld_t self:unix_stream_socket { accept listen }; > +allow mysqld_t self:unix_stream_socket { connectto accept listen }; > allow mysqld_t self:tcp_socket { accept listen }; > > manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t) > @@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var > kernel_read_kernel_sysctls(mysqld_t) > kernel_read_network_state(mysqld_t) > kernel_read_system_state(mysqld_t) > +kernel_read_vm_sysctls(mysqld_t) > > corenet_all_recvfrom_unlabeled(mysqld_t) > corenet_all_recvfrom_netlabel(mysqld_t) > @@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { ch > allow mysqld_safe_t self:process { setsched getsched setrlimit }; > allow mysqld_safe_t self:fifo_file rw_fifo_file_perms; > > -allow mysqld_safe_t mysqld_t:process signull; > +allow mysqld_safe_t mysqld_t:process { signull sigkill }; > > read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) > manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t) > @@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t > corecmd_exec_bin(mysqld_safe_t) > corecmd_exec_shell(mysqld_safe_t) > > -dev_list_sysfs(mysqld_safe_t) > +dev_read_sysfs(mysqld_safe_t) > > domain_read_all_domains_state(mysqld_safe_t) > > Index: refpolicy-2.20170220/policy/modules/contrib/tor.te > =================================================================== > --- refpolicy-2.20170220.orig/policy/modules/contrib/tor.te > +++ refpolicy-2.20170220/policy/modules/contrib/tor.te > @@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir, > # Local policy > # > > -allow tor_t self:capability { setgid setuid sys_tty_config }; > +allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config }; > allow tor_t self:process signal; > allow tor_t self:fifo_file rw_fifo_file_perms; > allow tor_t self:unix_stream_socket { accept listen }; > @@ -62,6 +62,7 @@ create_files_pattern(tor_t, tor_var_log_ > setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) > manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t) > logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir }) > +fs_search_tmpfs(tor_t) Merged, though I moved the above line. -- Chris PeBenito