LinuxLists.cc - [refpolicy] [PATCH] some file:map additions, and support /etc/resolv.conf symlink

2017-12-28 05:16:11

Subject: [refpolicy] [PATCH] some file:map additions, and support /etc/resolv.conf symlink

This patch adds some file:map permissions, changes sysnet_dns_name_resolve()
to support the case where /etc/resolv.conf is a symlink to /run/NetworkManager,
and allows useradd and groupadd to talk to dbus.

This was written to support Debian/Testing with the latest git policy.

Index: refpolicy-2.20171228/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/system/logging.te
+++ refpolicy-2.20171228/policy/modules/system/logging.te
@@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })

manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)

# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
allow syslogd_t syslogd_var_run_t:dir create_dir_perms;

Index: refpolicy-2.20171228/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20171228/policy/modules/system/lvm.te
@@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })

read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
+
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
Index: refpolicy-2.20171228/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20171228/policy/modules/system/systemd.if
@@ -366,6 +366,7 @@ interface(`systemd_manage_journal_files'

manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+ allow $1 systemd_journal_t:file map;
')

Index: refpolicy-2.20171228/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20171228/policy/modules/contrib/dpkg.if
@@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files'
allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
allow $1 dpkg_script_tmp_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## map dpkg_script_tmp_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_map_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:file map;
+')
Index: refpolicy-2.20171228/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20171228/policy/modules/system/modutils.te
@@ -132,7 +132,9 @@ optional_policy(`
')

optional_policy(`
+ # for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
+ dpkg_map_script_tmp_files(kmod_t)
')

optional_policy(`
Index: refpolicy-2.20171228/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20171228/policy/modules/system/sysnetwork.if
@@ -751,6 +751,10 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+ optional_policy(`
+ # for /etc/resolv.conf symlink
+ networkmanager_read_pid_files($1)
+ ')

# This seems needed when the mymachines NSS module is used
optional_policy(`
Index: refpolicy-2.20171228/policy/modules/contrib/syncthing.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/contrib/syncthing.te
+++ refpolicy-2.20171228/policy/modules/contrib/syncthing.te
@@ -66,7 +66,3 @@ userdom_use_user_terminals(syncthing_t)
# newly created files in ~/.config/syncthing/ will transition to syncthing_config_home_t
userdom_user_home_content_filetrans(syncthing_t, syncthing_config_home_t, dir, "syncthing")

-optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20171228/policy/modules/contrib/dictd.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/contrib/dictd.te
+++ refpolicy-2.20171228/policy/modules/contrib/dictd.te
@@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t)

domain_use_interactive_fds(dictd_t)

+files_map_usr_files(dictd_t)
files_read_etc_runtime_files(dictd_t)
files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
Index: refpolicy-2.20171228/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20171228.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20171228/policy/modules/admin/usermanage.te
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)

optional_policy(`
+ dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
@@ -538,6 +542,10 @@ optional_policy(`
')

optional_policy(`
+ dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')

2017-12-29 15:28:01

by Chris PeBenito

[permalink] [raw]

Subject: [refpolicy] [PATCH] some file:map additions, and support /etc/resolv.conf symlink

On 12/28/2017 12:16 AM, Russell Coker via refpolicy wrote:
> This patch adds some file:map permissions, changes sysnet_dns_name_resolve()
> to support the case where /etc/resolv.conf is a symlink to /run/NetworkManager,
> and allows useradd and groupadd to talk to dbus.
>
> This was written to support Debian/Testing with the latest git policy.
>
> Index: refpolicy-2.20171228/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20171228.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20171228/policy/modules/system/logging.te
> @@ -418,6 +418,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
> # manage temporary files
> manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> +allow syslogd_t syslogd_tmp_t:file map;
> +
> files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>
> manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> @@ -426,6 +428,8 @@ files_search_var_lib(syslogd_t)
>
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> +allow syslogd_t syslogd_var_run_t:file map;

Are these above perms due to journald? If so, they should be in the
init_systemd block.

--
Chris PeBenito