From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] missing from previous
Date: Sun, 6 Jan 2019 13:50:03 -0500 [thread overview]
Message-ID: <b06c8e4b-8ab7-d76c-1712-e947367899ec@ieee.org> (raw)
In-Reply-To: <20190106024235.GA17569@xev>
On 1/5/19 9:42 PM, Russell Coker wrote:
> Here are the things that weren't applied from my previous patches, I think they
> are all worthy of inclusion.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir list_dir_perms;
> - allow $1 apt_var_cache_t:file read_file_perms;
> + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> ')
>
> ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir manage_dir_perms;
> - allow $1 apt_var_cache_t:file manage_file_perms;
> + allow $1 apt_var_cache_t:file { manage_file_perms map };
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20180701/policy/modules/system/systemd.if
> @@ -307,6 +307,7 @@ interface(`systemd_use_passwd_agent',`
> manage_sock_files_pattern($1, systemd_passwd_var_run_t, systemd_passwd_var_run_t)
>
> allow systemd_passwd_agent_t $1:process signull;
> + ps_process_pattern(systemd_passwd_agent_t, $1)
> allow systemd_passwd_agent_t $1:unix_dgram_socket sendto;
> ')
>
> @@ -828,3 +829,22 @@ interface(`systemd_getattr_updated_runti
>
> getattr_files_pattern($1, systemd_update_run_t, systemd_update_run_t)
> ')
> +
> +#######################################
> +## <summary>
> +## Allow domain to list dirs under /run/systemd/netif
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain permitted the access
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_list_netif',`
I renamed this.
> + gen_require(`
> + type systemd_networkd_var_run_t;
> + ')
> +
> + init_list_pids($1)
> + allow $1 systemd_networkd_var_run_t:dir list_dir_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/ntp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.te
> +++ refpolicy-2.20180701/policy/modules/services/ntp.te
> @@ -152,7 +152,7 @@ ifdef(`init_systemd',`
> init_list_var_lib_dirs(ntpd_t)
>
> # for /run/systemd/netif/links
> - init_list_pids(ntpd_t)
> + systemd_list_netif(ntpd_t)
>
> optional_policy(`
> unconfined_dbus_send(ntpd_t)
> Index: refpolicy-2.20180701/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20180701/policy/modules/system/logging.te
> @@ -552,6 +552,8 @@ ifdef(`init_systemd',`
> init_dgram_send(syslogd_t)
> init_read_pid_pipes(syslogd_t)
> init_read_state(syslogd_t)
> + # for /run/systemd/units/invocation:* links
> + init_read_unit_links(syslogd_t)
>
> systemd_manage_journal_files(syslogd_t)
>
>
See other thread for why I dropped this hunk. Otherwise merged.
--
Chris PeBenito
prev parent reply other threads:[~2019-01-06 19:14 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-06 2:42 [PATCH] missing from previous Russell Coker
2019-01-06 18:50 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b06c8e4b-8ab7-d76c-1712-e947367899ec@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).