From: russell@coker.com.au (Russell Coker) Date: Tue, 13 Feb 2018 11:46:05 +1100 Subject: [refpolicy] [PATCH] simple map patch Message-ID: <20180213004605.GB17327@xev> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com A few simple patches to allow map permission. Index: refpolicy-2.20180211/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/logging.te +++ refpolicy-2.20180211/policy/modules/system/logging.te @@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t) domain_use_interactive_fds(audisp_t) +files_map_etc_files(audisp_t) files_read_etc_files(audisp_t) files_read_etc_runtime_files(audisp_t) @@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_t # manage temporary files manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) +allow syslogd_t syslogd_tmp_t:file map; + files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) @@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t) # manage pid file manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) +allow syslogd_t syslogd_var_run_t:file map; + files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) allow syslogd_t syslogd_var_run_t:dir create_dir_perms; Index: refpolicy-2.20180211/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/lvm.te +++ refpolicy-2.20180211/policy/modules/system/lvm.te @@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) +allow lvm_t lvm_etc_t:file map; + read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) Index: refpolicy-2.20180211/policy/modules/system/systemd.if =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/systemd.if +++ refpolicy-2.20180211/policy/modules/system/systemd.if @@ -368,6 +368,7 @@ interface(`systemd_manage_journal_files' manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) manage_files_pattern($1, systemd_journal_t, systemd_journal_t) + allow $1 systemd_journal_t:file map; ') Index: refpolicy-2.20180211/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20180211.orig/policy/modules/kernel/files.if +++ refpolicy-2.20180211/policy/modules/kernel/files.if @@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',` ######################################## ## +## Map generic files in /etc. +## +## +##

+## Allow the specified domain to map generic files in /etc. +##

+##

+## Related interfaces: +##

+## +##
+## +## +## Domain allowed access. +## +## +## +# +interface(`files_map_etc_files',` + gen_require(` + type etc_t; + ') + + allow $1 etc_t:file map; +') + +######################################## +## ## Do not audit attempts to write generic files in /etc. ## ## Index: refpolicy-2.20180211/policy/modules/contrib/dpkg.if =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/dpkg.if +++ refpolicy-2.20180211/policy/modules/contrib/dpkg.if @@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files' allow $1 dpkg_script_tmp_t:dir manage_dir_perms; allow $1 dpkg_script_tmp_t:file manage_file_perms; ') + +######################################## +## +## map dpkg_script_tmp_t files +## +## +## +## Domain allowed access. +## +## +# +interface(`dpkg_map_script_tmp_files',` + gen_require(` + type dpkg_script_tmp_t; + ') + + allow $1 dpkg_script_tmp_t:file map; +') Index: refpolicy-2.20180211/policy/modules/system/modutils.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/system/modutils.te +++ refpolicy-2.20180211/policy/modules/system/modutils.te @@ -132,7 +132,9 @@ optional_policy(` ') optional_policy(` + # for postinst of a new kernel package dpkg_manage_script_tmp_files(kmod_t) + dpkg_map_script_tmp_files(kmod_t) ') optional_policy(` Index: refpolicy-2.20180211/policy/modules/contrib/dictd.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/dictd.te +++ refpolicy-2.20180211/policy/modules/contrib/dictd.te @@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t) domain_use_interactive_fds(dictd_t) +files_map_usr_files(dictd_t) files_read_etc_runtime_files(dictd_t) files_read_usr_files(dictd_t) files_search_var_lib(dictd_t) Index: refpolicy-2.20180211/policy/modules/contrib/tor.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/tor.te +++ refpolicy-2.20180211/policy/modules/contrib/tor.te @@ -55,6 +55,7 @@ allow tor_t tor_etc_t:lnk_file read_lnk_ manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) +allow tor_t tor_var_lib_t:file map; manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) Index: refpolicy-2.20180211/policy/modules/contrib/logrotate.te =================================================================== --- refpolicy-2.20180211.orig/policy/modules/contrib/logrotate.te +++ refpolicy-2.20180211/policy/modules/contrib/logrotate.te @@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t) domain_getattr_all_entry_files(logrotate_t) domain_read_all_domains_state(logrotate_t) +files_map_etc_files(logrotate_t) files_read_usr_files(logrotate_t) files_read_etc_runtime_files(logrotate_t) files_read_all_pids(logrotate_t)