From: guido@trentalancia.net (Guido Trentalancia) Date: Mon, 17 Apr 2017 18:39:46 +0200 Subject: [refpolicy] [PATCH] misc daemons In-Reply-To: <20170417134633.32uttndeazdcksne@athena.coker.com.au> References: <20170417134633.32uttndeazdcksne@athena.coker.com.au> Message-ID: <3853B055-51B1-41B7-A077-D30CDF3122AA@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi, I think there is one more kernel interface call to skip before inserting the dev_read_kmsg(dmesg_t) call. Regards, Guido On the 17th of April 2017 15:46:33 CEST, Russell Coker via refpolicy wrote: >Put in libx32 subs entries that refer to directories with fc entries. > >Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for >dpkg-reconfigure. > >Some dontaudit rules for mta processes spawned by mon for notification. > >Lots of tiny changes that are obvious. > >Index: refpolicy-2.20170417/config/file_contexts.subs_dist >=================================================================== >--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist >+++ refpolicy-2.20170417/config/file_contexts.subs_dist >@@ -12,13 +12,14 @@ > /lib /usr/lib > /lib32 /usr/lib > /lib64 /usr/lib >-/libx32 /usr/libx32 >+/libx32 /usr/lib > /sbin /usr/sbin > /etc/init.d /etc/rc.d/init.d > /lib/systemd /usr/lib/systemd > /run/lock /var/lock > /usr/lib32 /usr/lib > /usr/lib64 /usr/lib >+/usr/libx32 /usr/lib > /usr/local/lib32 /usr/lib > /usr/local/lib64 /usr/lib > /usr/local/lib /usr/lib >Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te >+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te >@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t) > kernel_change_ring_buffer_level(dmesg_t) > kernel_list_proc(dmesg_t) > kernel_read_proc_symlinks(dmesg_t) >+dev_read_kmsg(dmesg_t) >+ > # for when /usr is not mounted: > kernel_dontaudit_search_unlabeled(dmesg_t) > >Index: refpolicy-2.20170417/policy/modules/admin/netutils.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te >+++ refpolicy-2.20170417/policy/modules/admin/netutils.te >@@ -133,6 +133,7 @@ files_read_etc_files(ping_t) > files_dontaudit_search_var(ping_t) > > kernel_read_system_state(ping_t) >+dev_read_urand(ping_t) > > auth_use_nsswitch(ping_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te >+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te >@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a > > allow alsa_t alsa_home_t:file read_file_perms; > >+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa") >+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t) >+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t) > list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t) > read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) > read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t) >Index: refpolicy-2.20170417/policy/modules/contrib/backup.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te >+++ refpolicy-2.20170417/policy/modules/contrib/backup.te >@@ -21,7 +21,7 @@ files_type(backup_store_t) > # Local policy > # > >-allow backup_t self:capability dac_override; >+allow backup_t self:capability { chown dac_override fsetid }; > allow backup_t self:process signal; > allow backup_t self:fifo_file rw_fifo_file_perms; > allow backup_t self:tcp_socket create_socket_perms; >Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te >+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te >@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v > > kernel_read_kernel_sysctls(bitlbee_t) > kernel_read_system_state(bitlbee_t) >+kernel_read_crypto_sysctls(bitlbee_t) > > corenet_all_recvfrom_unlabeled(bitlbee_t) > corenet_all_recvfrom_netlabel(bitlbee_t) >Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te >+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te >@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms > allow dpkg_t self:msg { send receive }; > > allow dpkg_t dpkg_lock_t:file manage_file_perms; >+corecmd_bin_domtrans(dpkg_t, dpkg_script_t) >+corecmd_bin_entry_type(dpkg_script_t) > > spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) > >@@ -307,6 +309,10 @@ optional_policy(` > ') > > optional_policy(` >+ devicekit_dbus_chat_power(dpkg_script_t) >+') >+ >+optional_policy(` > modutils_run(dpkg_script_t, dpkg_roles) > ') > >Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te >+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te >@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t) > dev_read_urand(fetchmail_t) > > files_read_etc_runtime_files(fetchmail_t) >+files_search_tmp(fetchmail_t) > files_dontaudit_search_home(fetchmail_t) > > fs_getattr_all_fs(fetchmail_t) >Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te >+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te >@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel > > kernel_read_ring_buffer(kerneloops_t) > kernel_read_system_state(kerneloops_t) >+dev_read_urand(kerneloops_t) > > domain_use_interactive_fds(kerneloops_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te >+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te >@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t) > locallogin_use_fds(loadkeys_t) > > miscfiles_read_localization(loadkeys_t) >+init_read_script_tmp_files(loadkeys_t) > > userdom_use_user_ttys(loadkeys_t) > userdom_list_user_home_content(loadkeys_t) >Index: refpolicy-2.20170417/policy/modules/contrib/mon.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if >+++ refpolicy-2.20170417/policy/modules/contrib/mon.if >@@ -1 +1,37 @@ > ## mon network monitoring daemon. >+ >+###################################### >+## >+## dontaudit searching /var/lib/mon >+## >+## >+## >+## Domain to not audit >+## >+## >+# >+interface(`mon_dontaudit_search_var_lib',` >+ gen_require(` >+ type mon_var_lib_t; >+ ') >+ >+ dontaudit $1 mon_var_lib_t:dir search; >+') >+ >+###################################### >+## >+## dontaudit using an inherited fd from mon_t >+## >+## >+## >+## Domain to not audit >+## >+## >+# >+interface(`mon_dontaudit_fd_use',` >+ gen_require(` >+ type mon_t; >+ ') >+ >+ dontaudit $1 mon_t:fd use; >+') >Index: refpolicy-2.20170417/policy/modules/contrib/mon.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te >+++ refpolicy-2.20170417/policy/modules/contrib/mon.te >@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t) > files_read_etc_files(mon_t) > files_read_etc_runtime_files(mon_t) > files_read_usr_files(mon_t) >+files_search_var_lib(mon_t) > > fs_getattr_all_fs(mon_t) > fs_search_auto_mountpoints(mon_t) >Index: refpolicy-2.20170417/policy/modules/contrib/mta.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te >+++ refpolicy-2.20170417/policy/modules/contrib/mta.te >@@ -324,6 +324,10 @@ optional_policy(` > ') > ') > >+optional_policy(` >+ mon_dontaudit_fd_use(mta_user_agent) >+') >+ > ######################################## > # > # Mailserver delivery local policy >@@ -379,6 +383,10 @@ optional_policy(` > ') > > optional_policy(` >+ mon_dontaudit_search_var_lib(mailserver_delivery) >+') >+ >+optional_policy(` > postfix_rw_inherited_master_pipes(mailserver_delivery) > ') > >Index: refpolicy-2.20170417/policy/modules/contrib/munin.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te >+++ refpolicy-2.20170417/policy/modules/contrib/munin.te >@@ -386,6 +386,7 @@ optional_policy(` > # > > allow system_munin_plugin_t self:udp_socket create_socket_perms; >+allow system_munin_plugin_t self:capability net_admin; > >rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, >munin_var_lib_t) > >@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu > > dev_read_sysfs(system_munin_plugin_t) > dev_read_urand(system_munin_plugin_t) >+files_read_usr_files(system_munin_plugin_t) > > domain_read_all_domains_state(system_munin_plugin_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if >+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if >@@ -78,7 +78,7 @@ interface(`mysql_signal',` > type mysqld_t; > ') > >- allow $1 mysqld_t:process signal; >+ allow $1 mysqld_t:process { signal signull }; > ') > > ######################################## >Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te >+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te >@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t, > read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) > read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t) > >-allow ntpd_t ntpd_lock_t:file write_file_perms; >+allow ntpd_t ntpd_lock_t:file rw_file_perms; > > allow ntpd_t ntpd_log_t:dir setattr_dir_perms; > append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t) >Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te >+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te >@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',` > files_list_non_auth_dirs(rsync_t) > files_read_non_auth_files(rsync_t) > files_read_non_auth_symlinks(rsync_t) >+ getattr_fifo_files_pattern(rsync_t, file_type, file_type) >+ getattr_sock_files_pattern(rsync_t, file_type, file_type) > auth_tunable_read_shadow(rsync_t) > ') > >Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te >+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te >@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t) > > miscfiles_read_localization(rtkit_daemon_t) > >+selinux_getattr_fs(rtkit_daemon_t) >+seutil_search_default_contexts(rtkit_daemon_t) >+ > optional_policy(` > dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t) > >Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te >+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te >@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t) > files_read_etc_files(fsdaemon_t) > files_read_etc_runtime_files(fsdaemon_t) > files_read_usr_files(fsdaemon_t) >+files_search_var_lib(fsdaemon_t) > > fs_getattr_all_fs(fsdaemon_t) > fs_search_auto_mountpoints(fsdaemon_t) >Index: refpolicy-2.20170417/policy/modules/system/fstools.te >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te >+++ refpolicy-2.20170417/policy/modules/system/fstools.te >@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir > allow fsadm_t fsadm_run_t:file manage_file_perms; > files_pid_filetrans(fsadm_t, fsadm_run_t, dir) > >+# for /run/mount/utab >+stat_mount_var_run(fsadm_t) >+ > # log files > allow fsadm_t fsadm_log_t:dir setattr; > manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t) >@@ -208,6 +211,10 @@ optional_policy(` > > optional_policy(` > udev_read_db(fsadm_t) >+ >+ # Xen causes losetup to run with a presumably accidentally inherited >+ # file handle for /run/xen-hotplug/block >+ dontaudit_udev_pidfile_rw(fsadm_t) > ') > > optional_policy(` >Index: refpolicy-2.20170417/policy/modules/system/udev.if >=================================================================== >--- refpolicy-2.20170417.orig/policy/modules/system/udev.if >+++ refpolicy-2.20170417/policy/modules/system/udev.if >@@ -301,6 +301,24 @@ interface(`udev_list_pids',` > > ######################################## > ## >+## dontaudit attempts to read/write udev pidfiles >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`dontaudit_udev_pidfile_rw',` >+ gen_require(` >+ type udev_var_run_t; >+ ') >+ >+ dontaudit $1 udev_var_run_t:file { read write }; >+') >+ >+######################################## >+## > ## Create, read, write, and delete > ## udev pid directories > ## >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy