From: russell@coker.com.au (Russell Coker) Date: Wed, 19 Apr 2017 14:47:50 +1000 Subject: [refpolicy] [PATCH] misc daemons In-Reply-To: <110fb46b-f76f-94a8-1c35-e676847228dc@ieee.org> References: <20170417134633.32uttndeazdcksne@athena.coker.com.au> <110fb46b-f76f-94a8-1c35-e676847228dc@ieee.org> Message-ID: <201704191447.50649.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Wed, 19 Apr 2017 10:38:36 AM Chris PeBenito wrote: > On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote: > > Put in libx32 subs entries that refer to directories with fc entries. > > > > Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for > > dpkg-reconfigure. > > > > Some dontaudit rules for mta processes spawned by mon for notification. > > > > Lots of tiny changes that are obvious. > > Merged with some line moving and a few notes (following) Thanks. > > --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te > > +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te > > @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a > > > > allow alsa_t alsa_home_t:file read_file_perms; > > > > +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa") > > +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t) > > +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t) > > This doesn't seem to fit since /var/lock/asound\.state\.lock is the only > lockfile. How is the locking changing? I can't remember. With things like this if you think it shouldn't be in there just drop them and I'll do further investigation. For all I know the latest version of the alsa utilities might not even require such access any more. =================================================================== > > --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if > > +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if > > @@ -78,7 +78,7 @@ interface(`mysql_signal',` > > > > type mysqld_t; > > > > ') > > > > - allow $1 mysqld_t:process signal; > > + allow $1 mysqld_t:process { signal signull }; > > I'd prefer a separate interface. Dropped since I can't determine which > domain(s) would call the new interface. In what situation could it be reasonable to allow signal access without allowing signull? It's like permitting file read write but not getattr, sure you can make access finer grained, but is there any point? =================================================================== > > --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te > > +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te > > @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',` > > > > files_list_non_auth_dirs(rsync_t) > > files_read_non_auth_files(rsync_t) > > files_read_non_auth_symlinks(rsync_t) > > > > + getattr_fifo_files_pattern(rsync_t, file_type, file_type) > > + getattr_sock_files_pattern(rsync_t, file_type, file_type) > > Dropped due to encapsulation problem (needs to use interfaces) OK, I'll make a new patch for this. =================================================================== > > --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te > > +++ refpolicy-2.20170417/policy/modules/system/fstools.te > > @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir > > > > allow fsadm_t fsadm_run_t:file manage_file_perms; > > files_pid_filetrans(fsadm_t, fsadm_run_t, dir) > > > > +# for /run/mount/utab > > +stat_mount_var_run(fsadm_t) > > Doesn't exist (and incorrect interface name) Does on Debian. Should I put it in a ifdef distro_debian? What would be the correct interface name? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/