2017-02-16 13:40:02

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] little misc patches 2

Here's version 2 of the little misc patch with all the requested changes.

Index: refpolicy-2.20170216/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170216/policy/modules/system/init.fc
@@ -34,7 +34,6 @@ ifdef(`distro_gentoo', `
/usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
')

-
/usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)

@@ -42,6 +41,7 @@ ifdef(`distro_gentoo', `
/usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
/usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
/usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
+/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)

ifdef(`distro_gentoo', `
/usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
Index: refpolicy-2.20170216/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170216/policy/modules/system/logging.te
@@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)

init_dontaudit_use_fds(auditctl_t)

-locallogin_dontaudit_use_fds(auditctl_t)
-
logging_set_audit_parameters(auditctl_t)
logging_send_syslog_msg(auditctl_t)

@@ -133,6 +131,10 @@ ifdef(`init_systemd',`
init_rw_stream_sockets(auditctl_t)
')

+optional_policy(`
+ locallogin_dontaudit_use_fds(auditctl_t)
+')
+
########################################
#
# Auditd local policy
@@ -373,8 +375,8 @@ optional_policy(`
# sys_admin for the integrated klog of syslog-ng and metalog
# sys_nice for rsyslog
# cjp: why net_admin!
-allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
-dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
+allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
+dontaudit syslogd_t self:capability { sys_ptrace };
# setpgid for metalog
# setrlimit for syslog-ng
# getsched for syslog-ng
@@ -565,6 +567,8 @@ optional_policy(`

optional_policy(`
udev_read_db(syslogd_t)
+ # for systemd-journal to read seat data from /run/udev/data
+ udev_read_pid_files(syslogd_t)
')

optional_policy(`
Index: refpolicy-2.20170216/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170216/policy/modules/system/lvm.te
@@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
init_use_script_ptys(lvm_t)
init_read_script_state(lvm_t)

+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+
logging_send_syslog_msg(lvm_t)

miscfiles_read_localization(lvm_t)
Index: refpolicy-2.20170216/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170216/policy/modules/system/selinuxutil.te
@@ -343,8 +343,6 @@ files_relabel_non_auth_files(restorecond
files_read_non_auth_files(restorecond_t)
auth_use_nsswitch(restorecond_t)

-locallogin_dontaudit_use_fds(restorecond_t)
-
logging_send_syslog_msg(restorecond_t)

miscfiles_read_localization(restorecond_t)
@@ -358,6 +356,10 @@ ifdef(`distro_ubuntu',`
')

optional_policy(`
+ locallogin_dontaudit_use_fds(restorecond_t)
+')
+
+optional_policy(`
rpm_use_script_fds(restorecond_t)
')

@@ -482,8 +484,6 @@ term_use_all_terms(semanage_t)
# Running genhomedircon requires this for finding all users
auth_use_nsswitch(semanage_t)

-locallogin_use_fds(semanage_t)
-
logging_send_syslog_msg(semanage_t)

miscfiles_read_localization(semanage_t)
@@ -516,6 +516,10 @@ ifdef(`distro_ubuntu',`
')
')

+optional_policy(`
+ locallogin_use_fds(semanage_t)
+')
+
########################################
#
# Setfiles local policy
Index: refpolicy-2.20170216/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170216/policy/modules/system/sysnetwork.te
@@ -145,8 +145,6 @@ logging_send_syslog_msg(dhcpc_t)

miscfiles_read_localization(dhcpc_t)

-modutils_run_insmod(dhcpc_t, dhcpc_roles)
-
sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)

userdom_use_user_terminals(dhcpc_t)
@@ -205,6 +203,10 @@ optional_policy(`
')
')

+optional_policy(`
+ modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
+
# for the dhcp client to run ping to check IP addresses
optional_policy(`
netutils_run_ping(dhcpc_t, dhcpc_roles)
@@ -333,8 +335,6 @@ logging_send_syslog_msg(ifconfig_t)

miscfiles_read_localization(ifconfig_t)

-modutils_domtrans_insmod(ifconfig_t)
-
seutil_use_runinit_fds(ifconfig_t)

sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
@@ -377,6 +377,10 @@ optional_policy(`
')

optional_policy(`
+ modutils_domtrans_insmod(ifconfig_t)
+')
+
+optional_policy(`
nis_use_ypbind(ifconfig_t)
')

Index: refpolicy-2.20170216/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.te
+++ refpolicy-2.20170216/policy/modules/system/init.te
@@ -309,7 +309,9 @@ ifdef(`init_systemd',`
',`
# Run the shell in the sysadm role for single-user mode.
# causes problems with upstart
- sysadm_shell_domtrans(init_t)
+ ifndef(`distro_debian',`
+ sysadm_shell_domtrans(init_t)
+ ')
')
')

@@ -563,9 +565,6 @@ miscfiles_read_localization(initrc_t)
# slapd needs to read cert files from its initscript
miscfiles_read_generic_certs(initrc_t)

-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
-
seutil_read_config(initrc_t)

userdom_read_user_home_content_files(initrc_t)
@@ -955,6 +954,11 @@ optional_policy(`
')

optional_policy(`
+ modutils_read_module_config(initrc_t)
+ modutils_domtrans_insmod(initrc_t)
+')
+
+optional_policy(`
mta_read_config(initrc_t)
mta_dontaudit_read_spool_symlinks(initrc_t)
')
Index: refpolicy-2.20170216/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170216/policy/modules/system/udev.te
@@ -125,6 +125,7 @@ files_search_mnt(udev_t)

fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
+fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)

mcs_ptrace_all(udev_t)
Index: refpolicy-2.20170216/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170216/policy/modules/contrib/kerneloops.te
@@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)

kernel_read_ring_buffer(kerneloops_t)
+kernel_read_system_state(kerneloops_t)

domain_use_interactive_fds(kerneloops_t)

Index: refpolicy-2.20170216/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170216/policy/modules/services/xserver.if
@@ -934,6 +934,27 @@ interface(`xserver_create_xdm_tmp_socket

########################################
## <summary>
+## Unlink a named socket in a XDM
+## temporary directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_unlink_xdm_tmp_sockets',`
+ gen_require(`
+ type xdm_tmp_t;
+ ')
+
+ files_search_tmp($1)
+ allow $1 xdm_tmp_t:dir list_dir_perms;
+ allow $1 xdm_tmp_t:sock_file unlink;
+')
+
+########################################
+## <summary>
## Read XDM pid files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170216/policy/modules/kernel/files.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/kernel/files.te
+++ refpolicy-2.20170216/policy/modules/kernel/files.te
@@ -11,6 +11,7 @@ attribute lockfile;
attribute mountpoint;
attribute pidfile;
attribute configfile;
+attribute spoolfile;

# For labeling types that are to be polyinstantiated
attribute polydir;


2017-02-18 13:58:18

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] little misc patches 2

On 02/16/17 08:40, Russell Coker via refpolicy wrote:
> Here's version 2 of the little misc patch with all the requested changes.

Merged, with a couple tweaks:

> Index: refpolicy-2.20170216/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170216/policy/modules/system/init.fc
> @@ -34,7 +34,6 @@ ifdef(`distro_gentoo', `
> /usr/lib/rc/init\.d(/.*)? gen_context(system_u:object_r:initrc_state_t,s0)
> ')
>
> -
> /usr/libexec/dcc/start-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /usr/libexec/dcc/stop-.* -- gen_context(system_u:object_r:initrc_exec_t,s0)
>
> @@ -42,6 +41,7 @@ ifdef(`distro_gentoo', `
> /usr/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> /usr/sbin/open_init_pty -- gen_context(system_u:object_r:initrc_exec_t,s0)
> /usr/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/bin/systemd -- gen_context(system_u:object_r:init_exec_t,s0)

Moved this up.


> ifdef(`distro_gentoo', `
> /usr/sbin/rc -- gen_context(system_u:object_r:rc_exec_t,s0)
> Index: refpolicy-2.20170216/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170216/policy/modules/system/logging.te
> @@ -124,8 +124,6 @@ term_use_all_terms(auditctl_t)
>
> init_dontaudit_use_fds(auditctl_t)
>
> -locallogin_dontaudit_use_fds(auditctl_t)
> -
> logging_set_audit_parameters(auditctl_t)
> logging_send_syslog_msg(auditctl_t)
>
> @@ -133,6 +131,10 @@ ifdef(`init_systemd',`
> init_rw_stream_sockets(auditctl_t)
> ')
>
> +optional_policy(`
> + locallogin_dontaudit_use_fds(auditctl_t)
> +')
> +
> ########################################
> #
> # Auditd local policy
> @@ -373,8 +375,8 @@ optional_policy(`
> # sys_admin for the integrated klog of syslog-ng and metalog
> # sys_nice for rsyslog
> # cjp: why net_admin!
> -allow syslogd_t self:capability { chown dac_override fsetid net_admin sys_admin sys_nice sys_resource sys_tty_config };
> -dontaudit syslogd_t self:capability { sys_ptrace sys_tty_config };
> +allow syslogd_t self:capability { chown dac_override fsetid net_admin setgid setuid sys_admin sys_nice sys_resource sys_tty_config };
> +dontaudit syslogd_t self:capability { sys_ptrace };
> # setpgid for metalog
> # setrlimit for syslog-ng
> # getsched for syslog-ng
> @@ -565,6 +567,8 @@ optional_policy(`
>
> optional_policy(`
> udev_read_db(syslogd_t)
> + # for systemd-journal to read seat data from /run/udev/data
> + udev_read_pid_files(syslogd_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20170216/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170216/policy/modules/system/lvm.te
> @@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
> init_use_script_ptys(lvm_t)
> init_read_script_state(lvm_t)
>
> +# for systemd-cryptsetup
> +dev_write_kmsg(lvm_t)
> +
> logging_send_syslog_msg(lvm_t)
>
> miscfiles_read_localization(lvm_t)
> Index: refpolicy-2.20170216/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170216/policy/modules/system/selinuxutil.te
> @@ -343,8 +343,6 @@ files_relabel_non_auth_files(restorecond
> files_read_non_auth_files(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> -locallogin_dontaudit_use_fds(restorecond_t)
> -
> logging_send_syslog_msg(restorecond_t)
>
> miscfiles_read_localization(restorecond_t)
> @@ -358,6 +356,10 @@ ifdef(`distro_ubuntu',`
> ')
>
> optional_policy(`
> + locallogin_dontaudit_use_fds(restorecond_t)
> +')
> +
> +optional_policy(`
> rpm_use_script_fds(restorecond_t)
> ')
>
> @@ -482,8 +484,6 @@ term_use_all_terms(semanage_t)
> # Running genhomedircon requires this for finding all users
> auth_use_nsswitch(semanage_t)
>
> -locallogin_use_fds(semanage_t)
> -
> logging_send_syslog_msg(semanage_t)
>
> miscfiles_read_localization(semanage_t)
> @@ -516,6 +516,10 @@ ifdef(`distro_ubuntu',`
> ')
> ')
>
> +optional_policy(`
> + locallogin_use_fds(semanage_t)
> +')
> +
> ########################################
> #
> # Setfiles local policy
> Index: refpolicy-2.20170216/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20170216/policy/modules/system/sysnetwork.te
> @@ -145,8 +145,6 @@ logging_send_syslog_msg(dhcpc_t)
>
> miscfiles_read_localization(dhcpc_t)
>
> -modutils_run_insmod(dhcpc_t, dhcpc_roles)
> -
> sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
>
> userdom_use_user_terminals(dhcpc_t)
> @@ -205,6 +203,10 @@ optional_policy(`
> ')
> ')
>
> +optional_policy(`
> + modutils_run_insmod(dhcpc_t, dhcpc_roles)
> +')
> +
> # for the dhcp client to run ping to check IP addresses
> optional_policy(`
> netutils_run_ping(dhcpc_t, dhcpc_roles)
> @@ -333,8 +335,6 @@ logging_send_syslog_msg(ifconfig_t)
>
> miscfiles_read_localization(ifconfig_t)
>
> -modutils_domtrans_insmod(ifconfig_t)
> -
> seutil_use_runinit_fds(ifconfig_t)
>
> sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
> @@ -377,6 +377,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_domtrans_insmod(ifconfig_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(ifconfig_t)
> ')
>
> Index: refpolicy-2.20170216/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170216/policy/modules/system/init.te
> @@ -309,7 +309,9 @@ ifdef(`init_systemd',`
> ',`
> # Run the shell in the sysadm role for single-user mode.
> # causes problems with upstart
> - sysadm_shell_domtrans(init_t)
> + ifndef(`distro_debian',`
> + sysadm_shell_domtrans(init_t)
> + ')
> ')
> ')
>
> @@ -563,9 +565,6 @@ miscfiles_read_localization(initrc_t)
> # slapd needs to read cert files from its initscript
> miscfiles_read_generic_certs(initrc_t)
>
> -modutils_read_module_config(initrc_t)
> -modutils_domtrans_insmod(initrc_t)
> -
> seutil_read_config(initrc_t)
>
> userdom_read_user_home_content_files(initrc_t)
> @@ -955,6 +954,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_read_module_config(initrc_t)
> + modutils_domtrans_insmod(initrc_t)
> +')
> +
> +optional_policy(`
> mta_read_config(initrc_t)
> mta_dontaudit_read_spool_symlinks(initrc_t)
> ')
> Index: refpolicy-2.20170216/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170216/policy/modules/system/udev.te
> @@ -125,6 +125,7 @@ files_search_mnt(udev_t)
>
> fs_getattr_all_fs(udev_t)
> fs_list_inotifyfs(udev_t)
> +fs_read_cgroup_files(udev_t)
> fs_rw_anon_inodefs_files(udev_t)
>
> mcs_ptrace_all(udev_t)
> Index: refpolicy-2.20170216/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170216/policy/modules/contrib/kerneloops.te
> @@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
> files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
>
> kernel_read_ring_buffer(kerneloops_t)
> +kernel_read_system_state(kerneloops_t)
>
> domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170216/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170216/policy/modules/services/xserver.if
> @@ -934,6 +934,27 @@ interface(`xserver_create_xdm_tmp_socket
>
> ########################################
> ## <summary>
> +## Unlink a named socket in a XDM
> +## temporary directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_unlink_xdm_tmp_sockets',`
> + gen_require(`
> + type xdm_tmp_t;
> + ')
> +
> + files_search_tmp($1)
> + allow $1 xdm_tmp_t:dir list_dir_perms;
> + allow $1 xdm_tmp_t:sock_file unlink;
> +')

Renamed this interface and put in delete_sock_files_pattern().


> +########################################
> +## <summary>
> ## Read XDM pid files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170216/policy/modules/kernel/files.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/kernel/files.te
> +++ refpolicy-2.20170216/policy/modules/kernel/files.te
> @@ -11,6 +11,7 @@ attribute lockfile;
> attribute mountpoint;
> attribute pidfile;
> attribute configfile;
> +attribute spoolfile;
>
> # For labeling types that are to be polyinstantiated
> attribute polydir;
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito