From: Jason Zaman <jason@perfinion.com>
To: Chris PeBenito <pebenito@ieee.org>
Cc: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm
Date: Thu, 3 Jan 2019 13:16:14 +0800 [thread overview]
Message-ID: <20190103051614.GB19860@baraddur.perfinion.com> (raw)
In-Reply-To: <ff620905-5c53-8b3d-749e-d04719195fba@ieee.org>
On Wed, Jan 02, 2019 at 07:07:19PM -0500, Chris PeBenito wrote:
> On 1/2/19 3:45 AM, Russell Coker wrote:
> > Lots of little stuff.
> >
> > Also the sysnet_dns_name_resolve() change the previous patch needed.
> >
> [...]
>
> > --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> > +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> > @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> > # Local policy
> > #
> >
> > -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> > +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
>
> Since you're getting the dac_read_search denial, the dac_override
> probably isn't necessary anymore. Can you retest without it?
No, consolekit definitely needs dac_override. It needs to be able to
nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
say grant the perm instead of dontaudit makes things easier if doing
semodule -DB.
>
>
>
> [...]
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> > +++ refpolicy-2.20180701/policy/modules/system/udev.te
> [...]
>
> > @@ -328,6 +324,11 @@ optional_policy(`
> > ')
> >
> > optional_policy(`
> > + iptables_domtrans(udev_t)
> > + iptables_write_pipe(udev_t)
>
> I'm not clear why this separate pipe interface is necessary, as that
> access should be provided by the domtrans interface already.
>
>
> > --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> > +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> > @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
> >
> > ########################################
> > ## <summary>
> > +## Allow iptables to write to a pipe
> > +## </summary>
> > +## <param name="domain">
> > +## <summary>
> > +## Domain to be written to
> > +## </summary>
> > +## </param>
> > +#
> > +interface(`iptables_write_pipe',`
>
> Should be iptables_write_inherited_pipe().
>
> > + gen_require(`
> > + type iptables_t;
> > + ')
> > +
> > + allow iptables_t $1:fifo_file write;
> > +')
> > +
>
> --
> Chris PeBenito
next prev parent reply other threads:[~2019-01-03 5:16 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-02 8:45 [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm Russell Coker
2019-01-03 0:07 ` Chris PeBenito
2019-01-03 5:16 ` Jason Zaman [this message]
2019-01-04 7:06 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190103051614.GB19860@baraddur.perfinion.com \
--to=jason@perfinion.com \
--cc=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).