Re: [PATCH] missing from previous

From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] missing from previous
Date: Sun, 6 Jan 2019 13:50:03 -0500	[thread overview]
Message-ID: <b06c8e4b-8ab7-d76c-1712-e947367899ec@ieee.org> (raw)
In-Reply-To: <20190106024235.GA17569@xev>

On 1/5/19 9:42 PM, Russell Coker wrote:
> Here are the things that weren't applied from my previous patches, I think they
> are all worthy of inclusion.
> 
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>   
>   	files_search_var($1)
>   	allow $1 apt_var_cache_t:dir list_dir_perms;
> -	allow $1 apt_var_cache_t:file read_file_perms;
> +	allow $1 apt_var_cache_t:file mmap_read_file_perms;
>   ')
>   
>   ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>   
>   	files_search_var($1)
>   	allow $1 apt_var_cache_t:dir manage_dir_perms;
> -	allow $1 apt_var_cache_t:file manage_file_perms;
> +	allow $1 apt_var_cache_t:file { manage_file_perms map };
>   ')
>   
>   ########################################
> Index: refpolicy-2.20180701/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20180701/policy/modules/system/systemd.if
> @@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
>   	manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
>   
>   	allow systemd_passwd_agent_t $1:process signull;
> +	ps_process_pattern(systemd_passwd_agent_t, $1)
>   	allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
>   ')
>   
> @@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
>   
>   	getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
>   ')
> +
> +#######################################
> +## <summary>
> +##  Allow domain to list dirs under /run/systemd/netif
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +##  domain permitted the access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_list_netif',`

I renamed this.

> +	gen_require(`
> +		type systemd_networkd_var_run_t;
> +	')
> +
> +	init_list_pids($1)
> +	allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/ntp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
> +++ refpolicy-2.20180701/policy/modules/services/ntp.te
> @@ -152,7 +152,7 @@ ifdef(`init_systemd',`
>   	init_list_var_lib_dirs(ntpd_t)
>   
>   	# for /run/systemd/netif/links
> -	init_list_pids(ntpd_t)
> +	systemd_list_netif(ntpd_t)
>   
>   	optional_policy(`
>   		unconfined_dbus_send(ntpd_t)
> Index: refpolicy-2.20180701/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20180701/policy/modules/system/logging.te
> @@ -552,6 +552,8 @@ ifdef(`init_systemd',`
>   	init_dgram_send(syslogd_t)
>   	init_read_pid_pipes(syslogd_t)
>   	init_read_state(syslogd_t)
> +	# for /run/systemd/units/invocation:* links
> +	init_read_unit_links(syslogd_t)
>   
>   	systemd_manage_journal_files(syslogd_t)
>   
> 

See other thread for why I dropped this hunk.  Otherwise merged.

-- 
Chris PeBenito