From: guido@trentalancia.net (Guido Trentalancia) Date: Wed, 19 Apr 2017 13:40:05 +0200 Subject: [refpolicy] [PATCH] fist "strict" patch In-Reply-To: References: <20170419104751.w42bk2et4dzoj2ia@athena.coker.com.au> Message-ID: <2FB7DA7A-A57D-4E31-8FE6-E2F62C810F20@trentalancia.net> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com Hello again. I am back on the previous issue... There is an interface xserver_user_home_dir_filetrans_user_xsession_log() that is used to set the file context for the .xsession-errors log file and such interface is called from xserver_restricted_role() which is called from xserver_role(). Are you not using the xserver_role()? Regards, Guido Il 19 aprile 2017 13:28:32 CEST, Guido Trentalancia via refpolicy ha scritto: >Hi. > >The file .xsession-errors is of type xsession_log_t and not user home >content. So you should probably fix the file transition for xdm_t. > >Regards, > >Guido > >On the 19th of April 2017 12:47:51 CEST, Russell Coker via refpolicy > wrote: >>This is the first patch for policy I developed running in a "strict" >>configuration. That means with the unconfined module removed from the >>policy. It is possible that some patches from this are needed even in >>a >>"targeted" configuration. But most are only related to strict >>configuration. >> >>There are no dependencies with other patches I've sent recently. >> >>Index: refpolicy-2.20170419/policy/modules/system/fstools.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te >>+++ refpolicy-2.20170419/policy/modules/system/fstools.te >>@@ -134,6 +134,8 @@ files_search_all(fsadm_t) >> mls_file_read_all_levels(fsadm_t) >> mls_file_write_all_levels(fsadm_t) >> >>+selinux_getattr_fs(fsadm_t) >>+ >> storage_raw_read_fixed_disk(fsadm_t) >> storage_raw_write_fixed_disk(fsadm_t) >> storage_raw_read_removable_device(fsadm_t) >>Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te >>+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te >>@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t) >> >> userdom_use_user_terminals(load_policy_t) >> userdom_use_all_users_fds(load_policy_t) >>+dev_read_urand(load_policy_t) >> >> ifdef(`distro_ubuntu',` >> optional_policy(` >>@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t) >> fs_getattr_tracefs(restorecond_t) >> fs_list_inotifyfs(restorecond_t) >> fs_relabelfrom_noxattr_fs(restorecond_t) >>+fs_getattr_pstorefs(restorecond_t) >> >> selinux_validate_context(restorecond_t) >> selinux_compute_access_vector(restorecond_t) >>@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t) >> kernel_read_kernel_sysctls(semanage_t) >> >> corecmd_exec_bin(semanage_t) >>+corecmd_exec_shell(semanage_t) >> >> dev_read_urand(semanage_t) >> >>@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t) >> files_dontaudit_read_all_symlinks(setfiles_t) >> >> fs_getattr_all_xattr_fs(setfiles_t) >>+fs_getattr_nfs(setfiles_t) >> fs_getattr_pstore_dirs(setfiles_t) >> fs_getattr_pstorefs(setfiles_t) >> fs_getattr_tracefs(setfiles_t) >>Index: refpolicy-2.20170419/policy/modules/system/systemd.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te >>+++ refpolicy-2.20170419/policy/modules/system/systemd.te >>@@ -854,6 +854,11 @@ optional_policy(` >> ') >> >> optional_policy(` >>+ apt_use_fds(systemd_tmpfiles_t) >>+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t) >>+') >>+ >>+optional_policy(` >> xfs_create_tmp_dirs(systemd_tmpfiles_t) >> ') >> >>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if >>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if >>@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',` >> >> ######################################## >> ## >>+## Inherit and use file descriptors >>+## from dpkg scripts. >>+## >>+## >>+## >>+## Domain allowed access. >>+## >>+## >>+# >>+interface(`dpkg_script_rw_inherited_fifos',` >>+ gen_require(` >>+ type dpkg_script_t; >>+ ') >>+ >>+ allow $1 dpkg_script_t:fd use; >>+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms; >>+') >>+ >>+######################################## >>+## >> ## Read dpkg package database content. >> ## >> ## >>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te >>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te >>@@ -33,6 +33,7 @@ type dpkg_script_t; >> domain_type(dpkg_script_t) >> domain_entry_file(dpkg_t, dpkg_var_lib_t) >> domain_entry_file(dpkg_script_t, dpkg_var_lib_t) >>+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t) >> corecmd_shell_entry_type(dpkg_script_t) >> corecmd_bin_entry_type(dpkg_script_t) >> domain_obj_id_change_exemption(dpkg_script_t) >>@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive }; >> allow dpkg_t dpkg_lock_t:file manage_file_perms; >> >> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t) >>+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t) >> >> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) >> manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) >>Index: refpolicy-2.20170419/policy/modules/contrib/mta.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te >>+++ refpolicy-2.20170419/policy/modules/contrib/mta.te >>@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t) >> userdom_use_user_terminals(system_mail_t) >> >> optional_policy(` >>+ apt_use_fds(system_mail_t) >>+ apt_use_ptys(system_mail_t) >>+') >>+ >>+optional_policy(` >> apache_read_squirrelmail_data(system_mail_t) >> apache_append_squirrelmail_data(system_mail_t) >> apache_dontaudit_append_log(system_mail_t) >>Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te >>+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te >>@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t) >> init_exec(sysadm_t) >> init_admin(sysadm_t) >> >>+selinux_read_policy(sysadm_t) >>+ >> # Add/remove user home directories >> userdom_manage_user_home_dirs(sysadm_t) >> userdom_home_filetrans_user_home_dir(sysadm_t) >>@@ -99,6 +101,10 @@ optional_policy(` >> ') >> >> optional_policy(` >>+ system_mail_role(sysadm_r) >>+') >>+ >>+optional_policy(` >> amanda_run_recover(sysadm_t, sysadm_r) >> ') >> >>Index: refpolicy-2.20170419/policy/modules/services/xserver.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te >>+++ refpolicy-2.20170419/policy/modules/services/xserver.te >>@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_ >> files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) >> >> allow xdm_t xauth_home_t:file manage_file_perms; >>-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) >>+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, >>".Xauthority") >>+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, >>".xsession-errors") >> >> allow xauth_t xdm_t:process sigchld; >> allow xauth_t xdm_t:fd use; >>Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te >>+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te >>@@ -189,7 +189,7 @@ optional_policy(` >> # Groupadd local policy >> # >> >>-allow groupadd_t self:capability { audit_write chown dac_override >kill >>setuid sys_resource }; >>+allow groupadd_t self:capability { audit_write chown dac_override >>fsetid kill setuid sys_resource }; >> dontaudit groupadd_t self:capability { fsetid sys_tty_config }; >>allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate >>setrlimit execmem execheap execstack }; >> allow groupadd_t self:process { setrlimit setfscreate }; >>Index: refpolicy-2.20170419/policy/modules/contrib/apt.te >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te >>+++ refpolicy-2.20170419/policy/modules/contrib/apt.te >>@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t) >> # Local policy >> # >> >>-allow apt_t self:capability { chown dac_override fowner fsetid }; >>+allow apt_t self:capability { chown dac_override fowner fsetid kill >>setgid setuid }; >> allow apt_t self:process { signal setpgid fork }; >> allow apt_t self:fd use; >> allow apt_t self:fifo_file rw_fifo_file_perms; >>@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp >>fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file >>fifo_file }) >> >> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) >>+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) >> files_var_filetrans(apt_t, apt_var_cache_t, dir) >> >> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) >>@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l >> >> allow apt_t apt_var_log_t:file manage_file_perms; >> logging_log_filetrans(apt_t, apt_var_log_t, file) >>+allow apt_t apt_var_log_t:dir manage_dir_perms; >> >> can_exec(apt_t, apt_exec_t) >> >>Index: refpolicy-2.20170419/policy/modules/contrib/mta.if >>=================================================================== >>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if >>+++ refpolicy-2.20170419/policy/modules/contrib/mta.if >>@@ -121,6 +121,23 @@ interface(`mta_role',` >> >> ######################################## >> ## >>+## Enable system_mail_t to run in the specified role >>+## >>+## >>+## >>+## Role allowed access. >>+## >>+## >>+# >>+interface(`system_mail_role',` >>+ gen_require(` >>+ type system_mail_t; >>+ ') >>+ role $1 types system_mail_t; >>+') >>+ >>+######################################## >>+## >> ## Make the specified domain usable for a mail server. >> ## >> ## >>_______________________________________________ >>refpolicy mailing list >>refpolicy at oss.tresys.com >>http://oss.tresys.com/mailman/listinfo/refpolicy > >_______________________________________________ >refpolicy mailing list >refpolicy at oss.tresys.com >http://oss.tresys.com/mailman/listinfo/refpolicy