From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] some little stuff
Date: Fri, 11 Jan 2019 21:30:43 +1100 [thread overview]
Message-ID: <20190111103043.GA22910@xev> (raw)
Tiny and I think they are all obvious.
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t
mount_rw_runtime_files(bootloader_t)
+selinux_getattr_fs(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
# systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
+++ refpolicy-2.20180701/policy/modules/services/dhcp.te
@@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
+miscfiles_read_generic_certs(dhcpd_t)
miscfiles_read_localization(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -333,6 +333,7 @@ optional_policy(`
optional_policy(`
xserver_domtrans_xauth(sshd_t)
+ xserver_link_xdm_keys(sshd_t)
')
########################################
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`
########################################
## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_link_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key link;
+')
+
+########################################
+## <summary>
## Read and write the mesa shader cache.
## </summary>
## <param name="domain">
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+# for writing to ~/.local/share/sddm/xorg-session.log
+xdg_manage_data(xauth_t)
+
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
allow xserver_t xauth_home_t:file read_file_perms;
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
@@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(groupadd_t)
')
@@ -546,6 +550,10 @@ optional_policy(`
')
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(useradd_t)
')
next reply other threads:[~2019-01-11 10:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 10:30 Russell Coker [this message]
2019-01-12 19:28 ` [PATCH] some little stuff Chris PeBenito
2019-01-15 7:47 ` Russell Coker
2019-01-15 8:36 ` Dominick Grift
2019-01-16 23:04 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190111103043.GA22910@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).