From: pebenito@ieee.org (Chris PeBenito) Date: Thu, 15 Feb 2018 17:11:37 -0500 Subject: [refpolicy] [PATCH] simple map patch In-Reply-To: <20180213004605.GB17327@xev> References: <20180213004605.GB17327@xev> Message-ID: To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com On 02/12/2018 07:46 PM, Russell Coker via refpolicy wrote: > A few simple patches to allow map permission. > > Index: refpolicy-2.20180211/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/logging.te > +++ refpolicy-2.20180211/policy/modules/system/logging.te > @@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t) > > domain_use_interactive_fds(audisp_t) > > +files_map_etc_files(audisp_t) > files_read_etc_files(audisp_t) > files_read_etc_runtime_files(audisp_t) > > @@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_t > # manage temporary files > manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t) > +allow syslogd_t syslogd_tmp_t:file map; > + > files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file }) > > manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t) > @@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t) > > # manage pid file > manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t) > +allow syslogd_t syslogd_var_run_t:file map; > + > files_pid_filetrans(syslogd_t, syslogd_var_run_t, file) > allow syslogd_t syslogd_var_run_t:dir create_dir_perms; > > Index: refpolicy-2.20180211/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20180211/policy/modules/system/lvm.te > @@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var > files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file }) > > read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) > +allow lvm_t lvm_etc_t:file map; > + > read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t) > # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d > manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t) > Index: refpolicy-2.20180211/policy/modules/system/systemd.if > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/systemd.if > +++ refpolicy-2.20180211/policy/modules/system/systemd.if > @@ -368,6 +368,7 @@ interface(`systemd_manage_journal_files' > > manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t) > manage_files_pattern($1, systemd_journal_t, systemd_journal_t) > + allow $1 systemd_journal_t:file map; > ') > > > Index: refpolicy-2.20180211/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20180211/policy/modules/kernel/files.if > @@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',` > > ######################################## > ## > +## Map generic files in /etc. > +## > +## > +##

> +## Allow the specified domain to map generic files in /etc. > +##

> +##

> +## Related interfaces: > +##

> +## > +##
> +## > +## > +## Domain allowed access. > +## > +## > +## > +# > +interface(`files_map_etc_files',` > + gen_require(` > + type etc_t; > + ') > + > + allow $1 etc_t:file map; > +') > + > +######################################## > +## > ## Do not audit attempts to write generic files in /etc. > ## > ## > Index: refpolicy-2.20180211/policy/modules/contrib/dpkg.if > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/dpkg.if > +++ refpolicy-2.20180211/policy/modules/contrib/dpkg.if > @@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files' > allow $1 dpkg_script_tmp_t:dir manage_dir_perms; > allow $1 dpkg_script_tmp_t:file manage_file_perms; > ') > + > +######################################## > +## > +## map dpkg_script_tmp_t files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dpkg_map_script_tmp_files',` > + gen_require(` > + type dpkg_script_tmp_t; > + ') > + > + allow $1 dpkg_script_tmp_t:file map; > +') > Index: refpolicy-2.20180211/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20180211/policy/modules/system/modutils.te > @@ -132,7 +132,9 @@ optional_policy(` > ') > > optional_policy(` > + # for postinst of a new kernel package > dpkg_manage_script_tmp_files(kmod_t) > + dpkg_map_script_tmp_files(kmod_t) > ') > > optional_policy(` > Index: refpolicy-2.20180211/policy/modules/contrib/dictd.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/dictd.te > +++ refpolicy-2.20180211/policy/modules/contrib/dictd.te > @@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t) > > domain_use_interactive_fds(dictd_t) > > +files_map_usr_files(dictd_t) > files_read_etc_runtime_files(dictd_t) > files_read_usr_files(dictd_t) > files_search_var_lib(dictd_t) > Index: refpolicy-2.20180211/policy/modules/contrib/tor.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/tor.te > +++ refpolicy-2.20180211/policy/modules/contrib/tor.te > @@ -55,6 +55,7 @@ allow tor_t tor_etc_t:lnk_file read_lnk_ > > manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) > manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) > +allow tor_t tor_var_lib_t:file map; > manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t) > files_var_lib_filetrans(tor_t, tor_var_lib_t, dir) > > Index: refpolicy-2.20180211/policy/modules/contrib/logrotate.te > =================================================================== > --- refpolicy-2.20180211.orig/policy/modules/contrib/logrotate.te > +++ refpolicy-2.20180211/policy/modules/contrib/logrotate.te > @@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t) > domain_getattr_all_entry_files(logrotate_t) > domain_read_all_domains_state(logrotate_t) > > +files_map_etc_files(logrotate_t) > files_read_usr_files(logrotate_t) > files_read_etc_runtime_files(logrotate_t) > files_read_all_pids(logrotate_t) Merged. -- Chris PeBenito