From: pebenito@ieee.org (Chris PeBenito)
Date: Wed, 26 Apr 2017 18:04:54 -0400
Subject: [refpolicy] [PATCH] somme little misc things
In-Reply-To: <20170426162347.md5u552q7zrhje2g@athena.coker.com.au>
References: <20170426162347.md5u552q7zrhje2g@athena.coker.com.au>
Message-ID: <eb83da59-3f36-7cfc-6994-27973d1aedb1@ieee.org>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

On 04/26/2017 12:23 PM, Russell Coker via refpolicy wrote:
> This patch allows setfiles to use file handles inherited from apt (for dpkg
> postinst scripts), adds those rsync permissions that were rejected previously
> due to not using interfaces, allows fsadm_t to stat /run/mount/utab, and
> allows system_cronjob_t some access it requires (including net_admin for
> when it runs utilities that set buffers).

I took almost everything, but there was a lot of moving in cron.  There 
are a couple notes:

> Index: refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170421/policy/modules/system/selinuxutil.te
> @@ -670,5 +670,9 @@ ifdef(`hide_broken_symptoms',`
>  ')
>
>  optional_policy(`
> +	apt_use_fds(setfiles_t)
> +')
> +
> +optional_policy(`
>  	hotplug_use_fds(setfiles_t)
>  ')
> Index: refpolicy-2.20170421/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170421/policy/modules/contrib/rsync.te
> @@ -123,6 +123,8 @@ dev_read_urand(rsync_t)
>  fs_getattr_all_fs(rsync_t)
>  fs_search_auto_mountpoints(rsync_t)
>
> +files_getattr_all_pipes(rsync_t)
> +files_getattr_all_sockets(rsync_t)
>  files_search_home(rsync_t)
>
>  auth_can_read_shadow_passwords(rsync_t)
> Index: refpolicy-2.20170421/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170421/policy/modules/system/fstools.te
> @@ -154,6 +154,9 @@ logging_send_syslog_msg(fsadm_t)
>
>  miscfiles_read_localization(fsadm_t)
>
> +# for /run/mount/utab
> +mount_getattr_runfile(fsadm_t)
> +
>  # losetup: bind mount_loopback_t files to loop devices
>  mount_rw_loopback_files(fsadm_t)
>
> Index: refpolicy-2.20170421/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20170421/policy/modules/system/mount.if
> @@ -228,3 +228,20 @@ interface(`mount_rw_runtime_files',`
>  	rw_files_pattern($1, mount_runtime_t, mount_runtime_t)
>  ')
>
> +########################################
> +## <summary>
> +##     Getattr on mount_var_run_t files
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`mount_getattr_runfile',`
> +	gen_require(`
> +		type mount_var_run_t;
> +	')
> +
> +	allow $1 mount_var_run_t:file getattr;
> +')
> Index: refpolicy-2.20170421/policy/modules/contrib/cron.te
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/cron.te
> +++ refpolicy-2.20170421/policy/modules/contrib/cron.te
> @@ -336,6 +336,23 @@ ifdef(`distro_debian',`
>  	optional_policy(`
>  		logwatch_search_cache_dir(crond_t)
>  	')
> +	optional_policy(`
> +		apt_manage_cache(system_cronjob_t)
> +		apt_read_db(system_cronjob_t)
> +		dpkg_manage_db(system_cronjob_t)
> +	')
> +')
> +
> +optional_policy(`
> +	acct_manage_data(system_cronjob_t)
> +')
> +
> +optional_policy(`
> +	ntp_admin(system_cronjob_t, system_r)

The admin interfaces aren't intended to be used like this.


> +')
> +
> +optional_policy(`
> +	apache_delete_lib_files(system_cronjob_t)
>  ')
>
>  ifdef(`distro_redhat',`
> @@ -425,6 +442,7 @@ optional_policy(`
>  	systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
>  	# so cron jobs can restart daemons
>  	init_stream_connect(system_cronjob_t)
> +	init_manage_script_service(system_cronjob_t)
>  ')
>
>  optional_policy(`
> @@ -436,14 +454,15 @@ optional_policy(`
>  # System local policy
>  #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_bind_service setgid setuid sys_nice };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
>  allow system_cronjob_t self:process { signal_perms getsched setsched };
>  allow system_cronjob_t self:fd use;
>  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>  allow system_cronjob_t self:passwd rootok;
>
> -allow system_cronjob_t cron_log_t:file { append_file_perms create_file_perms setattr_file_perms };
> +allow system_cronjob_t cron_log_t:file manage_file_perms;

I'm skeptical of this because then a rogue cronjob can destroy some 
evidence of what it's doing.


>  logging_log_filetrans(system_cronjob_t, cron_log_t, file)
> +logging_manage_generic_logs(system_cronjob_t)

Why is this needed?  The same comment also applies as above.


>  allow system_cronjob_t cron_var_lib_t:file { manage_file_perms relabel_file_perms };
>  files_var_lib_filetrans(system_cronjob_t, cron_var_lib_t, file)
> @@ -460,7 +479,8 @@ files_lock_filetrans(system_cronjob_t, s
>  manage_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  manage_lnk_files_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t)
>  filetrans_pattern(system_cronjob_t, crond_tmp_t, system_cronjob_tmp_t, { file lnk_file })
> -files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, file)
> +files_tmp_filetrans(system_cronjob_t, system_cronjob_tmp_t, { file dir })
> +allow system_cronjob_t system_cronjob_tmp_t:dir manage_dir_perms;
>
>  manage_files_pattern(system_cronjob_t, system_cronjob_var_lib_t, system_cronjob_var_lib_t)
>
> @@ -471,7 +491,8 @@ allow system_cronjob_t crond_t:process s
>  allow system_cronjob_t cron_spool_t:dir list_dir_perms;
>  allow system_cronjob_t cron_spool_t:file rw_file_perms;
>
> -allow system_cronjob_t crond_tmp_t:file { read write };
> +allow system_cronjob_t crond_tmp_t:file rw_inherited_file_perms;
> +allow cronjob_t crond_tmp_t:file rw_inherited_file_perms;
>
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
> @@ -563,6 +584,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	read_mrtg_etc(system_cronjob_t)
> +')
> +
> +optional_policy(`
>  	cyrus_manage_data(system_cronjob_t)
>  ')
>
> Index: refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/mrtg.if
> +++ refpolicy-2.20170421/policy/modules/contrib/mrtg.if
> @@ -2,6 +2,24 @@
>
>  ########################################
>  ## <summary>
> +##	Read mrtg configuration
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`read_mrtg_etc',`
> +	gen_require(`
> +		type mrtg_etc_t;
> +	')
> +
> +	allow $1 mrtg_etc_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Create and append mrtg log files.
>  ## </summary>
>  ## <param name="domain">
> Index: refpolicy-2.20170421/policy/modules/contrib/apt.if
> ===================================================================
> --- refpolicy-2.20170421.orig/policy/modules/contrib/apt.if
> +++ refpolicy-2.20170421/policy/modules/contrib/apt.if
> @@ -164,6 +164,26 @@ interface(`apt_use_ptys',`
>  ##	</summary>
>  ## </param>
>  #
> +interface(`apt_manage_cache',`
> +	gen_require(`
> +		type apt_var_cache_t;
> +	')
> +
> +	files_search_var($1)
> +	allow $1 apt_var_cache_t:dir manage_dir_perms;
> +	allow $1 apt_var_cache_t:file manage_file_perms;
> +')
> +
> +########################################
> +## <summary>
> +##	Read apt package cache content.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
>  interface(`apt_read_cache',`
>  	gen_require(`
>  		type apt_var_cache_t;



-- 
Chris PeBenito