Label some shell scripts from bridge-utils correctly. Maybe have ifdef
distro_debian around this, not sure what upstream is doing.
systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
labeled chroot.
Another dontaudit for mon_local_test_t to stop it spamming the logs.
Support a .d directory for dnsmasq config files.
Index: refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
@@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
/usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20170909/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170909/policy/modules/system/systemd.te
@@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_n
dev_mounton(systemd_nspawn_t)
dev_setattr_generic_dirs(systemd_nspawn_t)
- files_search_home(systemd_nspawn_t)
+ # manage etc symlinks for /etc/localtime
+ files_manage_etc_symlinks(systemd_nspawn_t)
files_mounton_pid_dirs(systemd_nspawn_t)
+ files_search_home(systemd_nspawn_t)
fs_getattr_cgroup(systemd_nspawn_t)
fs_manage_cgroup_dirs(systemd_nspawn_t)
Index: refpolicy-2.20170909/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20170909/policy/modules/contrib/mon.te
@@ -209,6 +209,8 @@ miscfiles_read_localization(mon_local_te
sysnet_read_config(mon_local_test_t)
+userdom_dontaudit_user_tmpfs_files(mon_local_test_t)
+
optional_policy(`
gpm_getattr_gpmctl(mon_local_test_t)
')
Index: refpolicy-2.20170909/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170909/policy/modules/system/userdomain.if
@@ -2809,6 +2809,25 @@ interface(`userdom_read_user_tmpfs_files
########################################
## <summary>
+## dontaudit Read attempts of user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_dontaudit_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ dontaudit $1 user_tmpfs_t:file read_file_perms;
+ dontaudit $1 user_tmpfs_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
## relabel to/from user tmpfs dirs
## </summary>
## <param name="domain">
Index: refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
===================================================================
--- refpolicy-2.20170909.orig/policy/modules/contrib/dnsmasq.te
+++ refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
@@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
allow dnsmasq_t self:packet_socket create_socket_perms;
allow dnsmasq_t self:rawip_socket create_socket_perms;
-read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
+allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
+allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
On 09/16/2017 11:19 PM, Russell Coker via refpolicy wrote:
> Label some shell scripts from bridge-utils correctly. Maybe have ifdef
> distro_debian around this, not sure what upstream is doing.
>
> systemd_nspawn_t needs to manage the /etc/localtime symlink if you have a
> labeled chroot.
>
> Another dontaudit for mon_local_test_t to stop it spamming the logs.
>
> Support a .d directory for dnsmasq config files.
>
> Index: refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20170909.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20170909/policy/modules/kernel/corecommands.fc
> @@ -165,6 +165,7 @@ ifdef(`distro_gentoo',`
>
> /usr/lib/at-spi2-core(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/avahi/avahi-daemon-check-dns\.sh -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/bridge-utils/.*\.sh -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ccache/bin(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/dhcpcd/dhcpcd-hooks(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/dhcpcd/dhcpcd-run-hooks -- gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20170909/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20170909.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20170909/policy/modules/system/systemd.te
> @@ -626,8 +626,10 @@ tunable_policy(`systemd_nspawn_labeled_n
> dev_mounton(systemd_nspawn_t)
> dev_setattr_generic_dirs(systemd_nspawn_t)
>
> - files_search_home(systemd_nspawn_t)
> + # manage etc symlinks for /etc/localtime
> + files_manage_etc_symlinks(systemd_nspawn_t)
> files_mounton_pid_dirs(systemd_nspawn_t)
> + files_search_home(systemd_nspawn_t)
>
> fs_getattr_cgroup(systemd_nspawn_t)
> fs_manage_cgroup_dirs(systemd_nspawn_t)
> Index: refpolicy-2.20170909/policy/modules/contrib/mon.te
> ===================================================================
> --- refpolicy-2.20170909.orig/policy/modules/contrib/mon.te
> +++ refpolicy-2.20170909/policy/modules/contrib/mon.te
> @@ -209,6 +209,8 @@ miscfiles_read_localization(mon_local_te
>
> sysnet_read_config(mon_local_test_t)
>
> +userdom_dontaudit_user_tmpfs_files(mon_local_test_t)
> +
> optional_policy(`
> gpm_getattr_gpmctl(mon_local_test_t)
> ')
> Index: refpolicy-2.20170909/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170909.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170909/policy/modules/system/userdomain.if
> @@ -2809,6 +2809,25 @@ interface(`userdom_read_user_tmpfs_files
>
> ########################################
> ## <summary>
> +## dontaudit Read attempts of user tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_dontaudit_user_tmpfs_files',`
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + dontaudit $1 user_tmpfs_t:file read_file_perms;
> + dontaudit $1 user_tmpfs_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> ## relabel to/from user tmpfs dirs
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
> ===================================================================
> --- refpolicy-2.20170909.orig/policy/modules/contrib/dnsmasq.te
> +++ refpolicy-2.20170909/policy/modules/contrib/dnsmasq.te
> @@ -40,7 +40,8 @@ allow dnsmasq_t self:tcp_socket { accept
> allow dnsmasq_t self:packet_socket create_socket_perms;
> allow dnsmasq_t self:rawip_socket create_socket_perms;
>
> -read_files_pattern(dnsmasq_t, dnsmasq_etc_t, dnsmasq_etc_t)
> +allow dnsmasq_t dnsmasq_etc_t:dir list_dir_perms;
> +allow dnsmasq_t dnsmasq_etc_t:file read_file_perms;
>
> manage_files_pattern(dnsmasq_t, dnsmasq_lease_t, dnsmasq_lease_t)
> files_var_lib_filetrans(dnsmasq_t, dnsmasq_lease_t, file)
Merged, though I renamed the interface.
--
Chris PeBenito