From: russell@coker.com.au (Russell Coker)
Date: Sat, 04 Nov 2017 20:17:53 +1100
Subject: [refpolicy] map permissions
Message-ID: <3850548.JCvBVk9sDr@xev>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

http://oss.tresys.com/pipermail/refpolicy/2017-May/009534.html

What happened to the patch from the above message?  The glibc implementations 
of getpwent(3) and friends map files so I have the following on a test 
machine.  If we aren't going to add the patch from the above message to allow 
map for most read permissions then I think we should do it for etc_t at least 
if we aren't going to allow it for all reads.  If so we could have a _nomap 
variant of interfaces for reading etc_t for the rare programs that can operate 
without getpwent(3) etc.

What do you think?

As an aside, am I the only person here testing with recent kernels?

# everything maps etc_t for /etc/passwd and /etc/group
allow chkpwd_t etc_t:file map;
allow chkpwd_t shadow_t:file map;
allow consolekit_t etc_t:file map;
allow local_login_t etc_t:file map;
allow system_sudo_t etc_t:file map;
allow systemd_logind_t etc_t:file map;
allow systemd_tmpfiles_t etc_t:file map;
allow getty_t etc_t:file map;
allow crond_t etc_t:file map;
allow audisp_t etc_t:file map;
allow mon_t etc_t:file map;
allow postfix_bounce_t etc_t:file map;
allow postfix_cleanup_t etc_t:file map;
allow postfix_local_t etc_t:file map;
allow postfix_master_t etc_t:file map;
allow postfix_pickup_t etc_t:file map;
allow postfix_postdrop_t etc_t:file map;
allow postfix_qmgr_t etc_t:file map;
allow semanage_t etc_t:file map;
allow sshd_t etc_t:file map;
allow syslogd_t etc_t:file map;
allow system_dbusd_t etc_t:file map;
allow system_mail_t etc_t:file map;
allow auditd_t etc_t:file map;

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/