From: russell@coker.com.au (Russell Coker)
Date: Sun, 17 Sep 2017 13:19:08 +1000
Subject: [refpolicy] [PATCH] minor nspawn, dnsmasq, and mon patches
Message-ID: <20170917031908.fj3mztqo56bq6uty@athena.coker.com.au>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com
Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
Index: refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
@@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20170909/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170909/policy/modules/system/systemd.te
@@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_n
dev_mounton(systemd_nspawn_t)
dev_setattr_generic_dirs(systemd_nspawn_t)
- files_search_home(systemd_nspawn_t)
+ # manage etc symlinks for /etc/localtime
+ files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_pid_dirs(systemd_nspawn_t)
+ files_search_home(systemd_nspawn_t)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
Index: refpolicy-2.20170909/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20170909/policy/modules/contrib/mon.te
@@ -209,6 +209,8 @@ miscfiles_read_localization(mon_local_te
sysnet_read_config(mon_local_test_t)
+userdom_dontaudit_user_tmpfs_files(mon_local_test_t)
+
optional_policy(`
gpm_getattr_gpmctl(mon_local_test_t)
')
Index: refpolicy-2.20170909/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170909/policy/modules/system/userdomain.if
@@ -2809,6 +2809,25 @@ interface(`userdom_read_user_tmpfs_files
########################################
##
+## dontaudit Read attempts of user tmpfs files.
+##
+##
+##
+## Domain allowed access.
+##
+##
+#
+interface(`userdom_dontaudit_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ dontaudit $1 user_tmpfs_t:file read_file_perms;
+ dontaudit $1 user_tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+##
## relabel to/from user tmpfs dirs
##
##
Index: refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/contrib/dnsmasq.te
+++ refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
+allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)