From: pebenito@ieee.org (Chris PeBenito)
Date: Tue, 18 Apr 2017 20:38:36 -0400
Subject: [refpolicy] [PATCH] misc daemons
In-Reply-To: <20170417134633.32uttndeazdcksne@athena.coker.com.au>
References: <20170417134633.32uttndeazdcksne@athena.coker.com.au>
Message-ID: <110fb46b-f76f-94a8-1c35-e676847228dc@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:
> Put in libx32 subs entries that refer to directories with fc entries.
>
> Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
> dpkg-reconfigure.
>
> Some dontaudit rules for mta processes spawned by mon for notification.
>
> Lots of tiny changes that are obvious.
Merged with some line moving and a few notes (following)
> Index: refpolicy-2.20170417/config/file_contexts.subs_dist
> ===================================================================
> --- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
> +++ refpolicy-2.20170417/config/file_contexts.subs_dist
> @@ -12,13 +12,14 @@
> /lib /usr/lib
> /lib32 /usr/lib
> /lib64 /usr/lib
> -/libx32 /usr/libx32
> +/libx32 /usr/lib
> /sbin /usr/sbin
> /etc/init.d /etc/rc.d/init.d
> /lib/systemd /usr/lib/systemd
> /run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
> +/usr/libx32 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
> Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
> +++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
> @@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
> kernel_change_ring_buffer_level(dmesg_t)
> kernel_list_proc(dmesg_t)
> kernel_read_proc_symlinks(dmesg_t)
> +dev_read_kmsg(dmesg_t)
> +
> # for when /usr is not mounted:
> kernel_dontaudit_search_unlabeled(dmesg_t)
>
> Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20170417/policy/modules/admin/netutils.te
> @@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
> files_dontaudit_search_var(ping_t)
>
> kernel_read_system_state(ping_t)
> +dev_read_urand(ping_t)
>
> auth_use_nsswitch(ping_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
> +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
> @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
>
> allow alsa_t alsa_home_t:file read_file_perms;
>
> +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
> +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
This doesn't seem to fit since /var/lock/asound\.state\.lock is the only
lockfile. How is the locking changing?
> list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
> +++ refpolicy-2.20170417/policy/modules/contrib/backup.te
> @@ -21,7 +21,7 @@ files_type(backup_store_t)
> # Local policy
> #
>
> -allow backup_t self:capability dac_override;
> +allow backup_t self:capability { chown dac_override fsetid };
> allow backup_t self:process signal;
> allow backup_t self:fifo_file rw_fifo_file_perms;
> allow backup_t self:tcp_socket create_socket_perms;
> Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
> +++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> @@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
>
> kernel_read_kernel_sysctls(bitlbee_t)
> kernel_read_system_state(bitlbee_t)
> +kernel_read_crypto_sysctls(bitlbee_t)
>
> corenet_all_recvfrom_unlabeled(bitlbee_t)
> corenet_all_recvfrom_netlabel(bitlbee_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> @@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
> allow dpkg_t self:msg { send receive };
>
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
> +corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
> +corecmd_bin_entry_type(dpkg_script_t)
>
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>
> @@ -307,6 +309,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_chat_power(dpkg_script_t)
> +')
> +
> +optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
> +++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
>
> files_read_etc_runtime_files(fetchmail_t)
> +files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
>
> fs_getattr_all_fs(fetchmail_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> @@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
>
> kernel_read_ring_buffer(kerneloops_t)
> kernel_read_system_state(kerneloops_t)
> +dev_read_urand(kerneloops_t)
>
> domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
> +++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> @@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
> locallogin_use_fds(loadkeys_t)
>
> miscfiles_read_localization(loadkeys_t)
> +init_read_script_tmp_files(loadkeys_t)
>
> userdom_use_user_ttys(loadkeys_t)
> userdom_list_user_home_content(loadkeys_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.if
> @@ -1 +1,37 @@
> ## mon network monitoring daemon.
> +
> +######################################
> +##
> +## dontaudit searching /var/lib/mon
> +##
> +##
> +##
> +## Domain to not audit
> +##
> +##
> +#
> +interface(`mon_dontaudit_search_var_lib',`
> + gen_require(`
> + type mon_var_lib_t;
> + ')
> +
> + dontaudit $1 mon_var_lib_t:dir search;
> +')
> +
> +######################################
> +##
> +## dontaudit using an inherited fd from mon_t
> +##
> +##
> +##
> +## Domain to not audit
> +##
> +##
> +#
> +interface(`mon_dontaudit_fd_use',`
> + gen_require(`
> + type mon_t;
> + ')
> +
> + dontaudit $1 mon_t:fd use;
> +')
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.te
> @@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
> files_read_etc_files(mon_t)
> files_read_etc_runtime_files(mon_t)
> files_read_usr_files(mon_t)
> +files_search_var_lib(mon_t)
>
> fs_getattr_all_fs(mon_t)
> fs_search_auto_mountpoints(mon_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mta.te
> @@ -324,6 +324,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + mon_dontaudit_fd_use(mta_user_agent)
> +')
> +
> ########################################
> #
> # Mailserver delivery local policy
> @@ -379,6 +383,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mon_dontaudit_search_var_lib(mailserver_delivery)
> +')
> +
> +optional_policy(`
> postfix_rw_inherited_master_pipes(mailserver_delivery)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
> +++ refpolicy-2.20170417/policy/modules/contrib/munin.te
> @@ -386,6 +386,7 @@ optional_policy(`
> #
>
> allow system_munin_plugin_t self:udp_socket create_socket_perms;
> +allow system_munin_plugin_t self:capability net_admin;
>
> rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
>
> @@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
>
> dev_read_sysfs(system_munin_plugin_t)
> dev_read_urand(system_munin_plugin_t)
> +files_read_usr_files(system_munin_plugin_t)
>
> domain_read_all_domains_state(system_munin_plugin_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
> @@ -78,7 +78,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
> - allow $1 mysqld_t:process signal;
> + allow $1 mysqld_t:process { signal signull };
I'd prefer a separate interface. Dropped since I can't determine which
domain(s) would call the new interface.
> ')
>
> ########################################
> Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
> @@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
> read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
> read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
>
> -allow ntpd_t ntpd_lock_t:file write_file_perms;
> +allow ntpd_t ntpd_lock_t:file rw_file_perms;
>
> allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
> @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> files_list_non_auth_dirs(rsync_t)
> files_read_non_auth_files(rsync_t)
> files_read_non_auth_symlinks(rsync_t)
> + getattr_fifo_files_pattern(rsync_t, file_type, file_type)
> + getattr_sock_files_pattern(rsync_t, file_type, file_type)
Dropped due to encapsulation problem (needs to use interfaces)
> auth_tunable_read_shadow(rsync_t)
> ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> @@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
>
> miscfiles_read_localization(rtkit_daemon_t)
>
> +selinux_getattr_fs(rtkit_daemon_t)
> +seutil_search_default_contexts(rtkit_daemon_t)
> +
> optional_policy(`
> dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> @@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
> files_read_etc_files(fsdaemon_t)
> files_read_etc_runtime_files(fsdaemon_t)
> files_read_usr_files(fsdaemon_t)
> +files_search_var_lib(fsdaemon_t)
>
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
> Index: refpolicy-2.20170417/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170417/policy/modules/system/fstools.te
> @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> allow fsadm_t fsadm_run_t:file manage_file_perms;
> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>
> +# for /run/mount/utab
> +stat_mount_var_run(fsadm_t)
Doesn't exist (and incorrect interface name)
> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
> @@ -208,6 +211,10 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(fsadm_t)
> +
> + # Xen causes losetup to run with a presumably accidentally inherited
> + # file handle for /run/xen-hotplug/block
> + dontaudit_udev_pidfile_rw(fsadm_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170417/policy/modules/system/udev.if
> @@ -301,6 +301,24 @@ interface(`udev_list_pids',`
>
> ########################################
> ##
> +## dontaudit attempts to read/write udev pidfiles
> +##
> +##
> +##
> +## Domain allowed access.
> +##
> +##
> +#
> +interface(`dontaudit_udev_pidfile_rw',`
Renamed
> + gen_require(`
> + type udev_var_run_t;
> + ')
> +
> + dontaudit $1 udev_var_run_t:file { read write };
> +')
> +
> +########################################
> +##
> ## Create, read, write, and delete
> ## udev pid directories
> ##
--
Chris PeBenito