From: dac.override@gmail.com (Dominick Grift) Date: Tue, 4 Apr 2017 09:44:24 +0200 Subject: [refpolicy] [PATCH] misc fc changes In-Reply-To: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> References: <20170402085805.2zlddx2evzcgxgop@athena.coker.com.au> Message-ID: <20170404074424.GC10685@t450.enp8s0.d30> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Sun, Apr 02, 2017 at 06:58:05PM +1000, Russell Coker via refpolicy wrote: > Remove acct_exec_t label for /etc/cron\.(daily|monthly)/acct so it gets bin_t > > Label /dev/pts/ptmx as ptmx_t. It always should have been labelled like this > but the presence of a device /dev/ptmx concealed it. With a container > created by systemd-nspawn (and possibly other situations) /dev/ptmx is a > symlink and we need correct labelling of /dev/pts/ptmx. > > Remove labelling of /usr/sbin/apachectl as initrc_exec_t so system scripts can > run it without a domain transition. > > Also lots of little changes that are obvious. > > > --- refpolicy-2.20170329.orig/policy/modules/contrib/acct.fc > +++ refpolicy-2.20170329/policy/modules/contrib/acct.fc > @@ -1,5 +1,3 @@ > -/etc/cron\.(daily|monthly)/acct -- gen_context(system_u:object_r:acct_exec_t,s0) > - Any specific reason for removing this? system_cronjob_t is pretty broad, so i tend to move stuff out of there whenever that makes a little sense > /etc/rc\.d/init\.d/psacct -- gen_context(system_u:object_r:acct_initrc_exec_t,s0) > > /usr/sbin/accton -- gen_context(system_u:object_r:acct_exec_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/contrib/apache.fc > +++ refpolicy-2.20170329/policy/modules/contrib/apache.fc > @@ -86,6 +86,7 @@ ifdef(`distro_suse',` > /usr/share/mythtv/data(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /usr/share/ntop/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /usr/share/openca/htdocs(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > +/usr/share/postfixadmin/templates_c(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0) > /usr/share/selinux-policy[^/]*/html(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0) > /usr/share/wordpress/.*\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > /usr/share/wordpress-mu/wp-config\.php -- gen_context(system_u:object_r:httpd_sys_script_exec_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/contrib/apt.fc > +++ refpolicy-2.20170329/policy/modules/contrib/apt.fc > @@ -14,6 +14,7 @@ ifndef(`distro_redhat',` > > /var/lib/apt(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > /var/lib/aptitude(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > +/var/lib/apt-xapian-inde(x)(/.*)? gen_context(system_u:object_r:apt_var_lib_t,s0) > > /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0) > > --- refpolicy-2.20170329.orig/policy/modules/contrib/dirmngr.fc > +++ refpolicy-2.20170329/policy/modules/contrib/dirmngr.fc > @@ -7,6 +7,7 @@ > /var/log/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_log_t,s0) > > /var/lib/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) > +/var/cache/dirmngr(/.*)? gen_context(system_u:object_r:dirmngr_var_lib_t,s0) > > /run/dirmngr\.pid -- gen_context(system_u:object_r:dirmngr_var_run_t,s0) > > --- refpolicy-2.20170329.orig/policy/modules/contrib/dpkg.fc > +++ refpolicy-2.20170329/policy/modules/contrib/dpkg.fc > @@ -4,6 +4,7 @@ > /usr/bin/dpkg -- gen_context(system_u:object_r:dpkg_exec_t,s0) > /usr/bin/dselect -- gen_context(system_u:object_r:dpkg_exec_t,s0) > > +/var/lib/debtags(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) > /var/lib/dpkg(/.*)? gen_context(system_u:object_r:dpkg_var_lib_t,s0) > /var/lib/dpkg/(meth)?lock -- gen_context(system_u:object_r:dpkg_lock_t,s0) > > --- refpolicy-2.20170329.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20170329/policy/modules/kernel/corecommands.fc > @@ -151,6 +151,7 @@ ifdef(`distro_gentoo',` > /usr/bin/zsh.* -- gen_context(system_u:object_r:shell_exec_t,s0) > > /usr/lib/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/postfix/configure-instance.sh -- gen_context(system_u:object_r:bin_t,s0) > > /usr/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/(.*/)?sbin(/.*)? gen_context(system_u:object_r:bin_t,s0) > @@ -158,6 +159,7 @@ ifdef(`distro_gentoo',` > /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/dovecot/.+ gen_context(system_u:object_r:bin_t,s0) > /usr/lib/fence(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/pgsql/test/regress/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/qt.*/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > @@ -201,6 +203,7 @@ ifdef(`distro_gentoo',` > /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/ssh(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sudo/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > @@ -259,6 +262,7 @@ ifdef(`distro_gentoo',` > /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) > > +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/share/ajaxterm/ajaxterm.py.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/ajaxterm/qweb.py.* -- gen_context(system_u:object_r:bin_t,s0) > @@ -289,6 +293,7 @@ ifdef(`distro_gentoo',` > /usr/share/printconf/util/print\.py -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/PackageKit/pk-upgrade-distro\.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/PackageKit/helpers(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/share/reportbug/handle_bugscript -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/kernel/files.fc > +++ refpolicy-2.20170329/policy/modules/kernel/files.fc > @@ -215,6 +215,7 @@ HOME_ROOT/lost\+found/.* <> > ifdef(`distro_debian',` > # on Debian /lib/init/rw is a tmpfs used like /run > /usr/lib/init/rw(/.*)? gen_context(system_u:object_r:var_run_t,s0-mls_systemhigh) > +/run/resolvconf(/.*)? -d gen_context(system_u:object_r:etc_t,s0) > ') > > ifndef(`distro_redhat',` > --- refpolicy-2.20170329.orig/policy/modules/kernel/terminal.fc > +++ refpolicy-2.20170329/policy/modules/kernel/terminal.fc > @@ -14,6 +14,7 @@ > /dev/ip2[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/isdn.* -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) > +/dev/pts/ptmx -c gen_context(system_u:object_r:ptmx_t,s0) > /dev/rfcomm[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/slamr[0-9]+ -c gen_context(system_u:object_r:tty_device_t,s0) > /dev/tty -c gen_context(system_u:object_r:devtty_t,s0) > @@ -24,7 +25,6 @@ > /dev/pty/.* -c gen_context(system_u:object_r:bsdpty_device_t,s0) > > /dev/pts -d gen_context(system_u:object_r:devpts_t,s0-mls_systemhigh) > -/dev/pts/ptmx -c gen_context(system_u:object_r:devpts_t,s0) > /dev/pts/[0-9]+ -c gen_context(system_u:object_r:user_devpts_t,s0) > > /dev/tts/[^/]* -c gen_context(system_u:object_r:tty_device_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/services/xserver.fc > +++ refpolicy-2.20170329/policy/modules/services/xserver.fc > @@ -32,6 +33,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /etc/kde[34]?/kdm/backgroundrc gen_context(system_u:object_r:xdm_var_run_t,s0) > > /etc/rc\.d/init\.d/x11-common -- gen_context(system_u:object_r:xdm_exec_t,s0) > +/etc/sddm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > > /etc/X11/[wx]dm/Xreset.* -- gen_context(system_u:object_r:xsession_exec_t,s0) > /etc/X11/[wxg]dm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0) > @@ -65,6 +67,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s > /usr/bin/gdm-binary -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > +/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0) > /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0) > /usr/bin/slim -- gen_context(system_u:object_r:xdm_exec_t,s0) > @@ -115,6 +118,7 @@ ifndef(`distro_debian',` > /var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) > /var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0) > /var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) > +/var/lib/sddm(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0) > > /var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0) > /var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0) > @@ -124,6 +128,7 @@ ifndef(`distro_debian',` > /var/log/XFree86.* -- gen_context(system_u:object_r:xserver_log_t,s0) > /var/log/Xorg.* -- gen_context(system_u:object_r:xserver_log_t,s0) > > +/run/sddm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) > /run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0) > /run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) > /run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/system/init.fc > +++ refpolicy-2.20170329/policy/modules/system/init.fc > @@ -38,7 +38,6 @@ ifdef(`distro_gentoo', ` > /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > > -/usr/sbin/apachectl -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0) > /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0) > /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0) > @@ -65,6 +64,10 @@ ifdef(`distro_gentoo', ` > ifdef(`distro_debian',` > /run/hotkey-setup -- gen_context(system_u:object_r:initrc_var_run_t,s0) > /run/kdm/.* -- gen_context(system_u:object_r:initrc_var_run_t,s0) > +/etc/network/if-pre-up.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > +/etc/network/if-up.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > +/etc/network/if-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > +/etc/network/if-post-down.d/.* -- gen_context(system_u:object_r:initrc_exec_t,s0) > ') > > ifdef(`distro_gentoo', ` > --- refpolicy-2.20170329.orig/policy/modules/system/libraries.fc > +++ refpolicy-2.20170329/policy/modules/system/libraries.fc > @@ -105,6 +105,7 @@ ifdef(`distro_debian',` > /usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0) > ') > > +/usr/lib/postfix/lib.*so.* -- gen_context(system_u:object_r:lib_t,s0) That looks like it might be redundant or that there is some other spec that should probably ideally be more specific for this location > /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0) > /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/system/lvm.fc > +++ refpolicy-2.20170329/policy/modules/system/lvm.fc > @@ -42,6 +42,7 @@ ifdef(`distro_gentoo',` > /usr/sbin/lvdisplay -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/sbin/lvextend -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/sbin/lvm -- gen_context(system_u:object_r:lvm_exec_t,s0) > +/usr/sbin/lvmetad -- gen_context(system_u:object_r:lvm_exec_t,s0) Fedora does this as well and i am wonder whether this is a good idea in the longer run lvm is short running, lvmetad is long running lvm probably needs permission to raw storage? it remains to be seen whether this daemon needs access to raw storage as well (if it doesnt then that to me is reason enough to move it out of lvm_t) > /usr/sbin/lvm\.static -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/sbin/lvmchange -- gen_context(system_u:object_r:lvm_exec_t,s0) > /usr/sbin/lvmdiskscan -- gen_context(system_u:object_r:lvm_exec_t,s0) > @@ -93,3 +94,4 @@ ifdef(`distro_gentoo',` > /var/lock/lvm(/.*)? gen_context(system_u:object_r:lvm_lock_t,s0) > /run/multipathd\.sock -s gen_context(system_u:object_r:lvm_var_run_t,s0) > /run/dmevent.* gen_context(system_u:object_r:lvm_var_run_t,s0) > +/run/lvm(/.*)? gen_context(system_u:object_r:lvm_var_run_t,s0) > --- refpolicy-2.20170329.orig/policy/modules/system/miscfiles.fc > +++ refpolicy-2.20170329/policy/modules/system/miscfiles.fc > @@ -12,7 +12,7 @@ ifdef(`distro_gentoo',` > /etc/httpd/alias/[^/]*\.db(\.[^/]*)* -- gen_context(system_u:object_r:cert_t,s0) > /etc/localtime -- gen_context(system_u:object_r:locale_t,s0) > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > -/etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > +/etc/ssl/private(/.*)? gen_context(system_u:object_r:cert_t,s0) There probably should not be private keys on a production system in the first place? Regardless, atleast be consistent and apply this to /etc/pki as well > /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) > > ifdef(`distro_debian',` > --- refpolicy-2.20170329.orig/policy/modules/system/udev.fc > +++ refpolicy-2.20170329/policy/modules/system/udev.fc > @@ -39,4 +39,5 @@ ifdef(`distro_redhat',` > > ifdef(`distro_debian',` > /run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0) > +/run/console-setup(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0) > ') > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 659 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20170404/04deb34c/attachment.bin