From: pebenito@ieee.org (Chris PeBenito) Date: Wed, 26 Apr 2017 18:04:54 -0400 Subject: [refpolicy] [PATCH] somme little misc things In-Reply-To: <20170426162347.md5u552q7zrhje2g@athena.coker.com.au> References: <20170426162347.md5u552q7zrhje2g@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/26/2017 12:23 PM, Russell Coker via refpolicy wrote: > This patch allows setfiles to use file handles inherited from apt (for dpkg > postinst scripts), adds those rsync permissions that were rejected previously > due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and > allows system_cronjob_t some access it requires (including net_admin for > when it runs utilities that set buffers). I took almost everything, but there was a lot of moving in cron. There are a couple notes: > Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te > @@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',` > ') > > optional_policy(` > + apt_use_fds(setfiles_t) > +') > + > +optional_policy(` > hotplug_use_fds(setfiles_t) > ') > Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te > +++ refpolicy-2.20170421/policy/modules/contrib/rsync.te > @@ -123,6 +123,8 @@ dev_read_urand(rsync_t) > fs_getattr_all_fs(rsync_t) > fs_search_auto_mountpoints(rsync_t) > > +files_getattr_all_pipes(rsync_t) > +files_getattr_all_sockets(rsync_t) > files_search_home(rsync_t) > > auth_can_read_shadow_passwords(rsync_t) > Index: refpolicy-2.20170421/policy/modules/system/fstools.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/system/fstools.te > +++ refpolicy-2.20170421/policy/modules/system/fstools.te > @@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t) > > miscfiles_read_localization(fsadm_t) > > +# for /run/mount/utab > +mount_getattr_runfile(fsadm_t) > + > # losetup: bind mount_loopback_t files to loop devices > mount_rw_loopback_files(fsadm_t) > > Index: refpolicy-2.20170421/policy/modules/system/mount.if > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/system/mount.if > +++ refpolicy-2.20170421/policy/modules/system/mount.if > @@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',` > rw_files_pattern($1, mount_runtime_t, mount_runtime_t) > ') > > +######################################## > +## > +## Getattr on mount_var_run_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`mount_getattr_runfile',` > + gen_require(` > + type mount_var_run_t; > + ') > + > + allow $1 mount_var_run_t:file getattr; > +') > Index: refpolicy-2.20170421/policy/modules/contrib/cron.te > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te > +++ refpolicy-2.20170421/policy/modules/contrib/cron.te > @@ -336,6 +336,23 @@ ifdef(`distro_debian',` > optional_policy(` > logwatch_search_cache_dir(crond_t) > ') > + optional_policy(` > + apt_manage_cache(system_cronjob_t) > + apt_read_db(system_cronjob_t) > + dpkg_manage_db(system_cronjob_t) > + ') > +') > + > +optional_policy(` > + acct_manage_data(system_cronjob_t) > +') > + > +optional_policy(` > + ntp_admin(system_cronjob_t, system_r) The admin interfaces aren't intended to be used like this. > +') > + > +optional_policy(` > + apache_delete_lib_files(system_cronjob_t) > ') > > ifdef(`distro_redhat',` > @@ -425,6 +442,7 @@ optional_policy(` > systemd_write_inherited_logind_sessions_pipes(system_cronjob_t) > # so cron jobs can restart daemons > init_stream_connect(system_cronjob_t) > + init_manage_script_service(system_cronjob_t) > ') > > optional_policy(` > @@ -436,14 +454,15 @@ optional_policy(` > # System local policy > # > > -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice }; > +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice }; > allow system_cronjob_t self:process { signal_perms getsched setsched }; > allow system_cronjob_t self:fd use; > allow system_cronjob_t self:fifo_file rw_fifo_file_perms; > allow system_cronjob_t self:passwd rootok; > > -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms }; > +allow system_cronjob_t cron_log_t:file manage_file_perms; I'm skeptical of this because then a rogue cronjob can destroy some evidence of what it's doing. > logging_log_filetrans(system_cronjob_t, cron_log_t, file) > +logging_manage_generic_logs(system_cronjob_t) Why is this needed? The same comment also applies as above. > allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms }; > files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file) > @@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s > manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t) > filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file }) > -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file) > +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir }) > +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms; > > manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t) > > @@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s > allow system_cronjob_t cron_spool_t:dir list_dir_perms; > allow system_cronjob_t cron_spool_t:file rw_file_perms; > > -allow system_cronjob_t crond_tmp_t:file { read write }; > +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms; > +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms; > > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > @@ -563,6 +584,10 @@ optional_policy(` > ') > > optional_policy(` > + read_mrtg_etc(system_cronjob_t) > +') > + > +optional_policy(` > cyrus_manage_data(system_cronjob_t) > ') > > Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if > +++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if > @@ -2,6 +2,24 @@ > > ######################################## > ## > +## Read mrtg configuration > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`read_mrtg_etc',` > + gen_require(` > + type mrtg_etc_t; > + ') > + > + allow $1 mrtg_etc_t:file read_file_perms; > +') > + > +######################################## > +## > ## Create and append mrtg log files. > ## > ## > Index: refpolicy-2.20170421/policy/modules/contrib/apt.if > =================================================================== > --- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if > +++ refpolicy-2.20170421/policy/modules/contrib/apt.if > @@ -164,6 +164,26 @@ interface(`apt_use_ptys',` > ## > ## > # > +interface(`apt_manage_cache',` > + gen_require(` > + type apt_var_cache_t; > + ') > + > + files_search_var($1) > + allow $1 apt_var_cache_t:dir manage_dir_perms; > + allow $1 apt_var_cache_t:file manage_file_perms; > +') > + > +######################################## > +## > +## Read apt package cache content. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > interface(`apt_read_cache',` > gen_require(` > type apt_var_cache_t; -- Chris PeBenito