From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 19 Apr 2017 13:28:32 +0200 Subject: [refpolicy] [PATCH] fist "strict" patch In-Reply-To: <20170419104751.w42bk2et4dzoj2ia@athena.coker.com.au> References: <20170419104751.w42bk2et4dzoj2ia@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hi. The file .xsession-errors is of type xsession_log_t and not user home content. So you should probably fix the file transition for xdm_t. Regards, Guido On the 19th of April 2017 12:47:51 CEST, Russell Coker via refpolicy wrote: >This is the first patch for policy I developed running in a "strict" >configuration. That means with the unconfined module removed from the >policy. It is possible that some patches from this are needed even in >a >"targeted" configuration. But most are only related to strict >configuration. > >There are no dependencies with other patches I've sent recently. > >Index: refpolicy-2.20170419/policy/modules/system/fstools.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te >+++ refpolicy-2.20170419/policy/modules/system/fstools.te >@@ -134,6 +134,8 @@ files_search_all(fsadm_t) > mls_file_read_all_levels(fsadm_t) > mls_file_write_all_levels(fsadm_t) > >+selinux_getattr_fs(fsadm_t) >+ > storage_raw_read_fixed_disk(fsadm_t) > storage_raw_write_fixed_disk(fsadm_t) > storage_raw_read_removable_device(fsadm_t) >Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te >+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te >@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t) > > userdom_use_user_terminals(load_policy_t) > userdom_use_all_users_fds(load_policy_t) >+dev_read_urand(load_policy_t) > > ifdef(`distro_ubuntu',` > optional_policy(` >@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t) > fs_getattr_tracefs(restorecond_t) > fs_list_inotifyfs(restorecond_t) > fs_relabelfrom_noxattr_fs(restorecond_t) >+fs_getattr_pstorefs(restorecond_t) > > selinux_validate_context(restorecond_t) > selinux_compute_access_vector(restorecond_t) >@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t) > kernel_read_kernel_sysctls(semanage_t) > > corecmd_exec_bin(semanage_t) >+corecmd_exec_shell(semanage_t) > > dev_read_urand(semanage_t) > >@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t) > files_dontaudit_read_all_symlinks(setfiles_t) > > fs_getattr_all_xattr_fs(setfiles_t) >+fs_getattr_nfs(setfiles_t) > fs_getattr_pstore_dirs(setfiles_t) > fs_getattr_pstorefs(setfiles_t) > fs_getattr_tracefs(setfiles_t) >Index: refpolicy-2.20170419/policy/modules/system/systemd.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te >+++ refpolicy-2.20170419/policy/modules/system/systemd.te >@@ -854,6 +854,11 @@ optional_policy(` > ') > > optional_policy(` >+ apt_use_fds(systemd_tmpfiles_t) >+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t) >+') >+ >+optional_policy(` > xfs_create_tmp_dirs(systemd_tmpfiles_t) > ') > >Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if >+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if >@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',` > > ######################################## > ## >+## Inherit and use file descriptors >+## from dpkg scripts. >+## >+## >+## >+## Domain allowed access. >+## >+## >+# >+interface(`dpkg_script_rw_inherited_fifos',` >+ gen_require(` >+ type dpkg_script_t; >+ ') >+ >+ allow $1 dpkg_script_t:fd use; >+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; >+') >+ >+######################################## >+## > ## Read dpkg package database content. > ## > ## >Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te >+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te >@@ -33,6 +33,7 @@ type dpkg_script_t; > domain_type(dpkg_script_t) > domain_entry_file(dpkg_t, dpkg_var_lib_t) > domain_entry_file(dpkg_script_t, dpkg_var_lib_t) >+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t) > corecmd_shell_entry_type(dpkg_script_t) > corecmd_bin_entry_type(dpkg_script_t) > domain_obj_id_change_exemption(dpkg_script_t) >@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive }; > allow dpkg_t dpkg_lock_t:file manage_file_perms; > > spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) >+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t) > > manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) > manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) >Index: refpolicy-2.20170419/policy/modules/contrib/mta.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te >+++ refpolicy-2.20170419/policy/modules/contrib/mta.te >@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t) > userdom_use_user_terminals(system_mail_t) > > optional_policy(` >+ apt_use_fds(system_mail_t) >+ apt_use_ptys(system_mail_t) >+') >+ >+optional_policy(` > apache_read_squirrelmail_data(system_mail_t) > apache_append_squirrelmail_data(system_mail_t) > apache_dontaudit_append_log(system_mail_t) >Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te >+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te >@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t) > init_exec(sysadm_t) > init_admin(sysadm_t) > >+selinux_read_policy(sysadm_t) >+ > # Add/remove user home directories > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) >@@ -99,6 +101,10 @@ optional_policy(` > ') > > optional_policy(` >+ system_mail_role(sysadm_r) >+') >+ >+optional_policy(` > amanda_run_recover(sysadm_t, sysadm_r) > ') > >Index: refpolicy-2.20170419/policy/modules/services/xserver.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te >+++ refpolicy-2.20170419/policy/modules/services/xserver.te >@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_ > files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) > > allow xdm_t xauth_home_t:file manage_file_perms; >-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) >+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, >".Xauthority") >+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, >".xsession-errors") > > allow xauth_t xdm_t:process sigchld; > allow xauth_t xdm_t:fd use; >Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te >+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te >@@ -189,7 +189,7 @@ optional_policy(` > # Groupadd local policy > # > >-allow groupadd_t self:capability { audit_write chown dac_override kill >setuid sys_resource }; >+allow groupadd_t self:capability { audit_write chown dac_override >fsetid kill setuid sys_resource }; > dontaudit groupadd_t self:capability { fsetid sys_tty_config }; >allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate >setrlimit execmem execheap execstack }; > allow groupadd_t self:process { setrlimit setfscreate }; >Index: refpolicy-2.20170419/policy/modules/contrib/apt.te >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te >+++ refpolicy-2.20170419/policy/modules/contrib/apt.te >@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) > # Local policy > # > >-allow apt_t self:capability { chown dac_override fowner fsetid }; >+allow apt_t self:capability { chown dac_override fowner fsetid kill >setgid setuid }; > allow apt_t self:process { signal setpgid fork }; > allow apt_t self:fd use; > allow apt_t self:fifo_file rw_fifo_file_perms; >@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp >fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file >fifo_file }) > > manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) >+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) > files_var_filetrans(apt_t, apt_var_cache_t, dir) > > manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) >@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l > > allow apt_t apt_var_log_t:file manage_file_perms; > logging_log_filetrans(apt_t, apt_var_log_t, file) >+allow apt_t apt_var_log_t:dir manage_dir_perms; > > can_exec(apt_t, apt_exec_t) > >Index: refpolicy-2.20170419/policy/modules/contrib/mta.if >=================================================================== >--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if >+++ refpolicy-2.20170419/policy/modules/contrib/mta.if >@@ -121,6 +121,23 @@ interface(`mta_role',` > > ######################################## > ## >+## Enable system_mail_t to run in the specified role >+## >+## >+## >+## Role allowed access. >+## >+## >+# >+interface(`system_mail_role',` >+ gen_require(` >+ type system_mail_t; >+ ') >+ role $1 types system_mail_t; >+') >+ >+######################################## >+## > ## Make the specified domain usable for a mail server. > ## > ## >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy