From: russell@coker.com.au (Russell Coker) Date: Fri, 21 Apr 2017 00:04:35 +1000 Subject: [refpolicy] [PATCH] second strict patch take 2 In-Reply-To: <1034371419.181844.1492691217821@pim.register.it> References: <20170420023321.mi2ued4gvuipopkr@athena.coker.com.au> <1034371419.181844.1492691217821@pim.register.it> Message-ID: <201704210004.35741.russell@coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On Thu, 20 Apr 2017 10:26:57 PM Guido Trentalancia via refpolicy wrote: > > --- refpolicy-2.20170419.orig/policy/modules/system/init.if > > +++ refpolicy-2.20170419/policy/modules/system/init.if > > @@ -2966,6 +2966,7 @@ interface(`init_admin',` > > > > init_reload($1) > > init_reload_all_units($1) > > init_shutdown_system($1) > > > > + init_start_system($1) > > I have already mentioned this too. Please enclose systemd-related > permissions in an appropriate ifdef (init_systemd) statement ! > > The above permission only applies to systemd. As do all the permissions in the init_admin() interface apart from init_telinit(). If you want to wrap all calls to init_admin() in ifdef init_systemd or have ifdef init_systemd around everything in that interface then submit a patch for it however you think it should be. > > --- refpolicy-2.20170419.orig/policy/modules/system/init.te > > +++ refpolicy-2.20170419/policy/modules/system/init.te > > @@ -135,9 +135,15 @@ can_exec(init_t, init_exec_t) > > > > allow init_t initrc_t:unix_stream_socket connectto; > > > > # For /var/run/shutdown.pid. > > > > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; > > I have already mentioned this too. Please enclose systemd-related > permissions in an appropriate ifdef (init_systemd) statement ! > > The above permission only applies to systemd. What is the point in restricting how init_t can access init_var_run_t? > > allow init_t init_var_run_t:file manage_file_perms; > > files_pid_filetrans(init_t, init_var_run_t, file) > > > > +# for /run/initctl > > +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; > > + > > +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; > > I have already mentioned this too. Please enclose systemd-related > permissions in an appropriate ifdef (init_systemd) statement ! > > The above permission only applies to systemd. What is the point in restricting how init_t can access init_var_run_t? I've removed the duplicate line. > > + > > > > # for systemd to manage service file symlinks > > allow init_t init_var_run_t:file manage_lnk_file_perms; > > > > @@ -170,6 +176,8 @@ files_read_etc_files(init_t) > > > > files_rw_generic_pids(init_t) > > files_manage_etc_runtime_files(init_t) > > files_etc_filetrans_etc_runtime(init_t, file) > > > > +files_list_usr(init_t) > > + > > I have already mentioned this too. Please enclose systemd-related > permissions in an appropriate ifdef (init_systemd) statement ! > > The above permission only applies to systemd. I've removed that because it was a duplicate line. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/