From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc services patches
Date: Fri, 4 Jan 2019 18:33:57 +1100 [thread overview]
Message-ID: <20190104073357.GB11256@aaa.coker.com.au> (raw)
Lots of little patches to services.
Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
# Local policy
#
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
can_exec(boinc_t, boinc_var_lib_t)
libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
miscfiles_read_localization(boinc_t)
tunable_policy(`boinc_execmem',`
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
userdom_getattr_user_ttys(boinc_t)
optional_policy(`
+ # for lsb_release -a
+ apt_read_cache(boinc_t)
+ apt_read_db(boinc_t)
+ dpkg_exec(boinc_t)
+ dpkg_read_db(boinc_t)
+
+ apt_read_cache(boinc_project_t)
+ apt_read_db(boinc_project_t)
+ dpkg_exec(boinc_project_t)
+ dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
java_exec(boinc_project_t)
')
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
# Local policy
#
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
+ dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
auth_use_nsswitch(gdomap_t)
logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
fs_getattr_all_fs(irqbalance_t)
fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
domain_use_interactive_fds(irqbalance_t)
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
kernel_read_system_state(jabberd_domain)
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
corenet_tcp_sendrecv_generic_if(jabberd_domain)
corenet_tcp_sendrecv_generic_node(jabberd_domain)
corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
dev_read_urand(jabberd_domain)
dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
allow mon_local_test_t self:capability sys_admin;
allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
can_exec(mon_local_test_t, mon_local_test_exec_t)
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
kernel_dontaudit_getattr_core_if(mon_local_test_t)
kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
kernel_read_software_raid_state(mon_local_test_t)
kernel_read_system_state(mon_local_test_t)
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_generic_certs(mon_t)
miscfiles_read_localization(mon_local_test_t)
sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
userdom_dbus_send_all_users(policykit_t)
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+optional_policy(`
+ init_dbus_chat(postfix_bounce_t)
+')
+
########################################
#
# Cleanup local policy
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
# sshd_t is the domain for the sshd program.
#
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
+miscfiles_read_generic_certs(tor_t)
miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports',`
next reply other threads:[~2019-01-04 7:34 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 7:33 Russell Coker [this message]
2019-01-05 18:34 ` [PATCH] misc services patches Chris PeBenito
2021-01-20 10:08 Russell Coker
2021-01-20 14:53 ` Dominick Grift
2021-01-21 13:25 ` Russell Coker
2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
2021-01-22 7:02 ` Dominick Grift
2021-02-03 4:08 Russell Coker
2021-02-03 18:06 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190104073357.GB11256@aaa.coker.com.au \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).