From: pebenito@ieee.org (Chris PeBenito) Date: Sat, 29 Apr 2017 11:30:19 -0400 Subject: [refpolicy] [PATCH] little misc strict In-Reply-To: <20170427064841.4ubil3jlfwt6jdcv@athena.coker.com.au> References: <20170427064841.4ubil3jlfwt6jdcv@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 04/27/2017 02:48 AM, Russell Coker via refpolicy wrote: > This is the last of the strict patches for now. > > Index: refpolicy-2.20170427/policy/modules/admin/usermanage.te > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/admin/usermanage.te > +++ refpolicy-2.20170427/policy/modules/admin/usermanage.te > @@ -189,7 +189,7 @@ optional_policy(` > # Groupadd local policy > # > > -allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource }; > +allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; > dontaudit groupadd_t self:capability { fsetid sys_tty_config }; > allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; > allow groupadd_t self:process { setrlimit setfscreate }; > Index: refpolicy-2.20170427/policy/modules/contrib/mta.if > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/contrib/mta.if > +++ refpolicy-2.20170427/policy/modules/contrib/mta.if > @@ -121,6 +121,23 @@ interface(`mta_role',` > > ######################################## > ## > +## Enable system_mail_t to run in the specified role > +## > +## > +## > +## Role allowed access. > +## > +## > +# > +interface(`system_mail_role',` > + gen_require(` > + type system_mail_t; > + ') > + role $1 types system_mail_t; > +') > + > +######################################## > +## > ## Make the specified domain usable for a mail server. > ## > ## > Index: refpolicy-2.20170427/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20170427/policy/modules/roles/sysadm.te > @@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t) > init_exec(sysadm_t) > init_admin(sysadm_t) > > +selinux_read_policy(sysadm_t) > + > # Add/remove user home directories > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) > @@ -104,6 +106,10 @@ optional_policy(` > ') > > optional_policy(` > + system_mail_role(sysadm_r) I'm not particularly fond of interfaces that simply add a type to a role, as it seems like there should be some other path to get that association. I dropped this pending further explanation, e.g. why sysadm would be using the system_mail_t domain. > +') > + > +optional_policy(` > amanda_run_recover(sysadm_t, sysadm_r) > ') > > Index: refpolicy-2.20170427/policy/modules/services/xserver.te > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/services/xserver.te > +++ refpolicy-2.20170427/policy/modules/services/xserver.te > @@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_ > files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir }) > > allow xdm_t xauth_home_t:file manage_file_perms; > -userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) > +userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority") > +userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors") Fixed this last line to use the correct interface, userdom_user_home_dir_filetrans_user_home_content(). > allow xauth_t xdm_t:process sigchld; > allow xauth_t xdm_t:fd use; > Index: refpolicy-2.20170427/policy/modules/system/fstools.te > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/system/fstools.te > +++ refpolicy-2.20170427/policy/modules/system/fstools.te > @@ -134,6 +134,8 @@ files_search_all(fsadm_t) > mls_file_read_all_levels(fsadm_t) > mls_file_write_all_levels(fsadm_t) > > +selinux_getattr_fs(fsadm_t) > + > storage_raw_read_fixed_disk(fsadm_t) > storage_raw_write_fixed_disk(fsadm_t) > storage_raw_read_removable_device(fsadm_t) > Index: refpolicy-2.20170427/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20170427.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20170427/policy/modules/system/selinuxutil.te > @@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t) > > userdom_use_user_terminals(load_policy_t) > userdom_use_all_users_fds(load_policy_t) > +dev_read_urand(load_policy_t) > > ifdef(`distro_ubuntu',` > optional_policy(` > @@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t) > fs_getattr_tracefs(restorecond_t) > fs_list_inotifyfs(restorecond_t) > fs_relabelfrom_noxattr_fs(restorecond_t) > +fs_getattr_pstorefs(restorecond_t) > > selinux_validate_context(restorecond_t) > selinux_compute_access_vector(restorecond_t) > @@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t) > kernel_read_kernel_sysctls(semanage_t) > > corecmd_exec_bin(semanage_t) > +corecmd_exec_shell(semanage_t) > > dev_read_urand(semanage_t) > > @@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t) > files_dontaudit_read_all_symlinks(setfiles_t) > > fs_getattr_all_xattr_fs(setfiles_t) > +fs_getattr_nfs(setfiles_t) > fs_getattr_pstore_dirs(setfiles_t) > fs_getattr_pstorefs(setfiles_t) > fs_getattr_tracefs(setfiles_t) Otherwise merged. -- Chris PeBenito