From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] missing from previous
Date: Sun, 6 Jan 2019 13:42:35 +1100 [thread overview]
Message-ID: <20190106024235.GA17569@xev> (raw)
Here are the things that weren't applied from my previous patches, I think they
are all worthy of inclusion.
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
+ allow $1 apt_var_cache_t:file mmap_read_file_perms;
')
########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
- allow $1 apt_var_cache_t:file manage_file_perms;
+ allow $1 apt_var_cache_t:file { manage_file_perms map };
')
########################################
Index: refpolicy-2.20180701/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180701/policy/modules/system/systemd.if
@@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
allow systemd_passwd_agent_t $1:process signull;
+ ps_process_pattern(systemd_passwd_agent_t, $1)
allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
')
@@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
')
+
+#######################################
+## <summary>
+## Allow domain to list dirs under /run/systemd/netif
+## </summary>
+## <param name="domain">
+## <summary>
+## domain permitted the access
+## </summary>
+## </param>
+#
+interface(`systemd_list_netif',`
+ gen_require(`
+ type systemd_networkd_var_run_t;
+ ')
+
+ init_list_pids($1)
+ allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20180701/policy/modules/services/ntp.te
@@ -152,7 +152,7 @@ ifdef(`init_systemd',`
init_list_var_lib_dirs(ntpd_t)
# for /run/systemd/netif/links
- init_list_pids(ntpd_t)
+ systemd_list_netif(ntpd_t)
optional_policy(`
unconfined_dbus_send(ntpd_t)
Index: refpolicy-2.20180701/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180701/policy/modules/system/logging.te
@@ -552,6 +552,8 @@ ifdef(`init_systemd',`
init_dgram_send(syslogd_t)
init_read_pid_pipes(syslogd_t)
init_read_state(syslogd_t)
+ # for /run/systemd/units/invocation:* links
+ init_read_unit_links(syslogd_t)
systemd_manage_journal_files(syslogd_t)
next reply other threads:[~2019-01-06 2:42 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-06 2:42 Russell Coker [this message]
2019-01-06 18:50 ` [PATCH] missing from previous Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190106024235.GA17569@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).