From: pebenito@ieee.org (Chris PeBenito) Date: Sun, 17 Sep 2017 11:11:48 -0400 Subject: [refpolicy] [PATCH] minor nspawn, dnsmasq, and mon patches In-Reply-To: <20170917031908.fj3mztqo56bq6uty@athena.coker.com.au> References: <20170917031908.fj3mztqo56bq6uty@athena.coker.com.au> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 09/16/2017 11:19 PM, Russell Coker via refpolicy wrote: > Label some shell scripts from bridge-utils correctly. Maybe have ifdef > distro_debian around this, not sure what upstream is doing. > > systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a > labeled chroot. > > Another dontaudit for mon_local_test_t to stop it spamming the logs. > > Support a .d directory for dnsmasq config files. > > Index: refpolicy-2.20170909/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20170909.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20170909/policy/modules/kernel/corecommands.fc > @@ -165,6 +165,7 @@ ifdef(`distro_gentoo',` > > /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0) > Index: refpolicy-2.20170909/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20170909.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20170909/policy/modules/system/systemd.te > @@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_n > dev_mounton(systemd_nspawn_t) > dev_setattr_generic_dirs(systemd_nspawn_t) > > - files_search_home(systemd_nspawn_t) > + # manage etc symlinks for /etc/localtime > + files_manage_etc_symlinks(systemd_nspawn_t) > files_mounton_pid_dirs(systemd_nspawn_t) > + files_search_home(systemd_nspawn_t) > > fs_getattr_cgroup(systemd_nspawn_t) > fs_manage_cgroup_dirs(systemd_nspawn_t) > Index: refpolicy-2.20170909/policy/modules/contrib/mon.te > =================================================================== > --- refpolicy-2.20170909.orig/policy/modules/contrib/mon.te > +++ refpolicy-2.20170909/policy/modules/contrib/mon.te > @@ -209,6 +209,8 @@ miscfiles_read_localization(mon_local_te > > sysnet_read_config(mon_local_test_t) > > +userdom_dontaudit_user_tmpfs_files(mon_local_test_t) > + > optional_policy(` > gpm_getattr_gpmctl(mon_local_test_t) > ') > Index: refpolicy-2.20170909/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20170909.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20170909/policy/modules/system/userdomain.if > @@ -2809,6 +2809,25 @@ interface(`userdom_read_user_tmpfs_files > > ######################################## > ## > +## dontaudit Read attempts of user tmpfs files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`userdom_dontaudit_user_tmpfs_files',` > + gen_require(` > + type user_tmpfs_t; > + ') > + > + dontaudit $1 user_tmpfs_t:file read_file_perms; > + dontaudit $1 user_tmpfs_t:dir list_dir_perms; > +') > + > +######################################## > +## > ## relabel to/from user tmpfs dirs > ## > ## > Index: refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te > =================================================================== > --- refpolicy-2.20170909.orig/policy/modules/contrib/dnsmasq.te > +++ refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te > @@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept > allow dnsmasq_t self:packet_socket create_socket_perms; > allow dnsmasq_t self:rawip_socket create_socket_perms; > > -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t) > +allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms; > +allow dnsmasq_t dnsmasq_etc_t:file read_file_perms; > > manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t) > files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file) Merged, though I renamed the interface. -- Chris PeBenito