[refpolicy] [PATCH 0/8] Updates on master (non-contrib)

[refpolicy] [PATCH 0/8] Updates on master (non-contrib)

[Sven Vermeulen]

Loose updates on the master repository (non-contrib items)

Sven Vermeulen (8):
  Postgresql 9.2 connects to its unix stream socket
  lvscan creates the /run/lock/lvm directory if nonexisting (v2)
  Allow syslogger to manage cron log files (v2)
  Update towards apache_manage_all_content
  Dontaudit getsched on all domains
  Allow initrc_t to read stunnel configuration
  Introduce rw_inherited_file_perms definition
  Introduce exec-check interfaces for passwd binaries and useradd
    binaries

 policy/modules/admin/usermanage.if    |   36 +++++++++++++++++++++++++++++++++
 policy/modules/admin/usermanage.te    |    2 +-
 policy/modules/kernel/domain.if       |   18 ++++++++++++++++
 policy/modules/services/postgresql.te |    2 +-
 policy/modules/system/init.te         |    4 +++
 policy/modules/system/logging.te      |    5 ++++
 policy/modules/system/lvm.te          |    2 +
 policy/modules/system/userdomain.if   |    2 +
 policy/support/obj_perm_sets.spt      |    3 +-
 9 files changed, 71 insertions(+), 3 deletions(-)

-- 
1.7.8.6

[refpolicy] [PATCH 1/8] Postgresql 9.2 connects to its unix stream socket

[Sven Vermeulen]

When starting postgresql, it fails with the (little saying) error message:
pg_ctl: could not start server

In the denials, we notice:
Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
tclass=unix_stream_socket

Hence, allow postgresql to connect to its own stream socket.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/services/postgresql.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
index 0210aef..94b1a57 100644
--- a/policy/modules/services/postgresql.te
+++ b/policy/modules/services/postgresql.te
@@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms;
 allow postgresql_t self:tcp_socket create_stream_socket_perms;
 allow postgresql_t self:udp_socket create_stream_socket_perms;
 allow postgresql_t self:unix_dgram_socket create_socket_perms;
-allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
+allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
 allow postgresql_t self:netlink_selinux_socket create_socket_perms;
 tunable_policy(`sepgsql_transmit_client_label',`
 	allow postgresql_t self:process { setsockcreate };
-- 
1.7.8.6

[refpolicy] [PATCH 2/8] lvscan creates the /run/lock/lvm directory if nonexisting (v2)

[Sven Vermeulen]

If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
(like lvscan) will create this directory. Introduce a named file transition for
the lock location when a directory named "lvm" is created and grant the
necessary rights to create the directory.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/lvm.te |    2 ++
 1 files changed, 2 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index f8eeecd..a712d85 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -192,7 +192,9 @@ can_exec(lvm_t, lvm_exec_t)
 
 # Creating lock files
 manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
+create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
 files_lock_filetrans(lvm_t, lvm_lock_t, file)
+files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
 
 manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
-- 
1.7.8.6

[refpolicy] [PATCH 3/8] Allow syslogger to manage cron log files (v2)

[Sven Vermeulen]

Some cron daemons, including vixie-cron, support using the system logger for
handling their logging events. Hence we allow syslogd_t to manage the cron logs,
and put a file transition in place for the system logger when it creates the
cron.log file.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/logging.te |    5 +++++
 1 files changed, 5 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
index 09b9a31..c75cd96 100644
--- a/policy/modules/system/logging.te
+++ b/policy/modules/system/logging.te
@@ -490,6 +490,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	cron_manage_log_files(syslogd_t)
+	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
+')
+
+optional_policy(`
 	inn_manage_log(syslogd_t)
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
 	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
-- 
1.7.8.6

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Sven Vermeulen]

The apache_manage_all_user_content interface has been deprecated and is now
pointing towards apache_manage_all_content.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.te |    2 +-
 1 files changed, 1 insertions(+), 1 deletions(-)

diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 673180c..9721f3b 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -533,7 +533,7 @@ ifdef(`distro_redhat',`
 ')
 
 optional_policy(`
-	apache_manage_all_user_content(useradd_t)
+	apache_manage_all_content(useradd_t)
 ')
 
 optional_policy(`
-- 
1.7.8.6

[refpolicy] [PATCH 5/8] Dontaudit getsched on all domains

[Sven Vermeulen]

The htop utility will attempt to get the scheduling information of all
processes. This information however does not seem to be needed for its
information (no difference in output when allowed or not).

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/kernel/domain.if     |   18 ++++++++++++++++++
 policy/modules/system/userdomain.if |    2 ++
 2 files changed, 20 insertions(+), 0 deletions(-)

diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
index 6a1e4d1..caceae0 100644
--- a/policy/modules/kernel/domain.if
+++ b/policy/modules/kernel/domain.if
@@ -889,6 +889,24 @@ interface(`domain_getpgid_all_domains',`
 
 ########################################
 ## <summary>
+##	Do not audit getting the scheduler information of all domains.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to not audit.
+##	</summary>
+## </param>
+#
+interface(`domain_dontaudit_getsched_all_domains',`
+	gen_require(`
+		attribute domain;
+	')
+
+	dontaudit $1 domain:process getsched;
+')
+
+########################################
+## <summary>
 ##	Get the scheduler information of all domains.
 ## </summary>
 ## <param name="domain">
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 6d4424b..99ab865 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
 	dev_read_sound_mixer($1_t)
 	dev_write_sound_mixer($1_t)
 
+	domain_dontaudit_getsched_all_domains($1_t)
+
 	files_exec_etc_files($1_t)
 	files_search_locks($1_t)
 	# Check to see if cdrom is mounted
-- 
1.7.8.6

[refpolicy] [PATCH 6/8] Allow initrc_t to read stunnel configuration

[Sven Vermeulen]

The stunnel init script reads the stunnel configuration to find out where to
store and check for the PID file

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/system/init.te |    4 ++++
 1 files changed, 4 insertions(+), 0 deletions(-)

diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5f2a36a..a8f385b 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -837,6 +837,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	stunnel_read_config(initrc_t)
+')
+
+optional_policy(`
 	sysnet_read_dhcpc_state(initrc_t)
 ')
 
-- 
1.7.8.6

[refpolicy] [PATCH 7/8] Introduce rw_inherited_file_perms definition

[Sven Vermeulen]

In many cases throughout the policy, domains require read/write privileges on
inherited descriptors. In most cases, these are for files, where the domain
needs the read-write permissions but of course no open privilege.

Instead of having to hard-code the permissions every time, this patch introduces
the rw_inherited_file_perms to support simple calls for these inherited
descriptors.

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/support/obj_perm_sets.spt |    3 ++-
 1 files changed, 2 insertions(+), 1 deletions(-)

diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
index 6e91317..48f0c7a 100644
--- a/policy/support/obj_perm_sets.spt
+++ b/policy/support/obj_perm_sets.spt
@@ -158,7 +158,8 @@ define(`mmap_file_perms',`{ getattr open read execute ioctl }')
 define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
 define(`append_file_perms',`{ getattr open append lock ioctl }')
 define(`write_file_perms',`{ getattr open write append lock ioctl }')
-define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
+define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
+define(`rw_file_perms',`{ rw_inherited_file_perms open }')
 define(`create_file_perms',`{ getattr create open }')
 define(`rename_file_perms',`{ getattr rename }')
 define(`delete_file_perms',`{ getattr unlink }')
-- 
1.7.8.6

[refpolicy] [PATCH 8/8] Introduce exec-check interfaces for passwd binaries and useradd binaries

[Sven Vermeulen]

Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
 policy/modules/admin/usermanage.if |   36 ++++++++++++++++++++++++++++++++++++
 1 files changed, 36 insertions(+), 0 deletions(-)

diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
index 98b8b2d..99e3903 100644
--- a/policy/modules/admin/usermanage.if
+++ b/policy/modules/admin/usermanage.if
@@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',`
 
 ########################################
 ## <summary>
+##	Check if the passwd binary is executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_passwd',`
+	gen_require(`
+		type passwd_exec_t;
+	')
+
+	allow $1 passwd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute passwd in the passwd domain, and
 ##	allow the specified role the passwd domain.
 ## </summary>
@@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',`
 
 ########################################
 ## <summary>
+##	Check if the useradd binaries are executable.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`usermanage_check_exec_useradd',`
+	gen_require(`
+		type useradd_exec_t;
+	')
+
+	allow $1 useradd_exec_t:file { execute getattr_file_perms };
+')
+
+########################################
+## <summary>
 ##	Execute useradd in the useradd domain, and
 ##	allow the specified role the useradd domain.
 ## </summary>
-- 
1.7.8.6

[refpolicy] [PATCH 5/8] Dontaudit getsched on all domains

[grift]

On Mon, 2012-12-17 at 10:42 +0100, Sven Vermeulen wrote:
> The htop utility will attempt to get the scheduling information of all
> processes. This information however does not seem to be needed for its
> information (no difference in output when allowed or not).
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/kernel/domain.if     |   18 ++++++++++++++++++
>  policy/modules/system/userdomain.if |    2 ++
>  2 files changed, 20 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if
> index 6a1e4d1..caceae0 100644
> --- a/policy/modules/kernel/domain.if
> +++ b/policy/modules/kernel/domain.if
> @@ -889,6 +889,24 @@ interface(`domain_getpgid_all_domains',`
>  
>  ########################################
>  ## <summary>
> +##	Do not audit getting the scheduler information of all domains.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to not audit.
> +##	</summary>
> +## </param>
> +#
> +interface(`domain_dontaudit_getsched_all_domains',`
> +	gen_require(`
> +		attribute domain;
> +	')
> +
> +	dontaudit $1 domain:process getsched;
> +')
> +
> +########################################
> +## <summary>
>  ##	Get the scheduler information of all domains.
>  ## </summary>
>  ## <param name="domain">
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 6d4424b..99ab865 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
>  	dev_read_sound_mixer($1_t)
>  	dev_write_sound_mixer($1_t)
>  
> +	domain_dontaudit_getsched_all_domains($1_t)

That is too coarse in my view.

This will also dontaudit legitimate access for processes needing this
running in the user domain.

Lets say i have this app that depends on this permission for itself:

allow staff_t self:process { signal getsched };

Then this rule will silently hide that access

> +
>  	files_exec_etc_files($1_t)
>  	files_search_locks($1_t)
>  	# Check to see if cdrom is mounted

[refpolicy] [PATCH 5/8] Dontaudit getsched on all domains

[Sven Vermeulen]

On Mon, Dec 17, 2012 at 11:20:55AM +0100, grift wrote:
> > The htop utility will attempt to get the scheduling information of all
> > processes. This information however does not seem to be needed for its
> > information (no difference in output when allowed or not).
[...]
> > +interface(`domain_dontaudit_getsched_all_domains',`
> > +	gen_require(`
> > +		attribute domain;
> > +	')
> > +
> > +	dontaudit $1 domain:process getsched;
> > +')
[...]
> > --- a/policy/modules/system/userdomain.if
> > +++ b/policy/modules/system/userdomain.if
> > @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
> >  	dev_read_sound_mixer($1_t)
> >  	dev_write_sound_mixer($1_t)
> >  
> > +	domain_dontaudit_getsched_all_domains($1_t)
> 
> That is too coarse in my view.
> 
> This will also dontaudit legitimate access for processes needing this
> running in the user domain.
> 
> Lets say i have this app that depends on this permission for itself:
> 
> allow staff_t self:process { signal getsched };
> 
> Then this rule will silently hide that access

I understand that, but the other method would be to create
*_dontaudit_getsched for each and every possible module, and add it in the
user domain definition fully loaded with optional_policy() statements.

And if the user domain doesn't need getsched itself, then running htop will
generate denials anyhow for self (i.e. in your above example, you'll get
denials for staff_t getsched on itself) so eventually you'll add in a
staff_dontaudit_getsched() for that too?

Another alternative could be to run htop in its own domain, but that doesn't
make sense imo...

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 5/8] Dontaudit getsched on all domains

[Sven Vermeulen]

On Mon, Dec 17, 2012 at 11:26:04AM +0100, Sven Vermeulen wrote:
> > > --- a/policy/modules/system/userdomain.if
> > > +++ b/policy/modules/system/userdomain.if
> > > @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
> > >  	dev_read_sound_mixer($1_t)
> > >  	dev_write_sound_mixer($1_t)
> > >  
> > > +	domain_dontaudit_getsched_all_domains($1_t)
> > 
> > That is too coarse in my view.
> > 
> > This will also dontaudit legitimate access for processes needing this
> > running in the user domain.
> > 
> > Lets say i have this app that depends on this permission for itself:
> > 
> > allow staff_t self:process { signal getsched };
> > 
> > Then this rule will silently hide that access
> 
> I understand that, but the other method would be to create
> *_dontaudit_getsched for each and every possible module, and add it in the
> user domain definition fully loaded with optional_policy() statements.
> 
> And if the user domain doesn't need getsched itself, then running htop will
> generate denials anyhow for self (i.e. in your above example, you'll get
> denials for staff_t getsched on itself) so eventually you'll add in a
> staff_dontaudit_getsched() for that too?
> 
> Another alternative could be to run htop in its own domain, but that doesn't
> make sense imo...

Chris, what is your take on this?

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 5/8] Dontaudit getsched on all domains

[Christopher J. PeBenito]

On 12/21/12 15:17, Sven Vermeulen wrote:
> On Mon, Dec 17, 2012 at 11:26:04AM +0100, Sven Vermeulen wrote:
>>>> --- a/policy/modules/system/userdomain.if
>>>> +++ b/policy/modules/system/userdomain.if
>>>> @@ -523,6 +523,8 @@ template(`userdom_common_user_template',`
>>>>  	dev_read_sound_mixer($1_t)
>>>>  	dev_write_sound_mixer($1_t)
>>>>  
>>>> +	domain_dontaudit_getsched_all_domains($1_t)
>>>
>>> That is too coarse in my view.
>>>
>>> This will also dontaudit legitimate access for processes needing this
>>> running in the user domain.
>>>
>>> Lets say i have this app that depends on this permission for itself:
>>>
>>> allow staff_t self:process { signal getsched };
>>>
>>> Then this rule will silently hide that access
>>
>> I understand that, but the other method would be to create
>> *_dontaudit_getsched for each and every possible module, and add it in the
>> user domain definition fully loaded with optional_policy() statements.
>>
>> And if the user domain doesn't need getsched itself, then running htop will
>> generate denials anyhow for self (i.e. in your above example, you'll get
>> denials for staff_t getsched on itself) so eventually you'll add in a
>> staff_dontaudit_getsched() for that too?
>>
>> Another alternative could be to run htop in its own domain, but that doesn't
>> make sense imo...
> 
> Chris, what is your take on this?

While I'm typically conservative on permissions, I'm not as concerned about this.  True, it can cover up legitimate denials, but the dontaudits can always do that.  Since this is due to a specific app, add a comment so we can remove the rule if/when htop gets fixed for all these superfluous getscheds.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 7/8] Introduce rw_inherited_file_perms definition

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> In many cases throughout the policy, domains require read/write privileges on
> inherited descriptors. In most cases, these are for files, where the domain
> needs the read-write permissions but of course no open privilege.
> 
> Instead of having to hard-code the permissions every time, this patch introduces
> the rw_inherited_file_perms to support simple calls for these inherited
> descriptors.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/support/obj_perm_sets.spt |    3 ++-
>  1 files changed, 2 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/support/obj_perm_sets.spt b/policy/support/obj_perm_sets.spt
> index 6e91317..48f0c7a 100644
> --- a/policy/support/obj_perm_sets.spt
> +++ b/policy/support/obj_perm_sets.spt
> @@ -158,7 +158,8 @@ define(`mmap_file_perms',`{ getattr open read execute ioctl }')
>  define(`exec_file_perms',`{ getattr open read execute ioctl execute_no_trans }')
>  define(`append_file_perms',`{ getattr open append lock ioctl }')
>  define(`write_file_perms',`{ getattr open write append lock ioctl }')
> -define(`rw_file_perms',`{ getattr open read write append ioctl lock }')
> +define(`rw_inherited_file_perms',`{ getattr read write append ioctl lock }')
> +define(`rw_file_perms',`{ rw_inherited_file_perms open }')
>  define(`create_file_perms',`{ getattr create open }')
>  define(`rename_file_perms',`{ getattr rename }')
>  define(`delete_file_perms',`{ getattr unlink }')> 

Since the tide seems to be going against me on these inherited permissions, I can accept it, but the change needs to be done for all of the relevant file classes.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> The apache_manage_all_user_content interface has been deprecated and is now
> pointing towards apache_manage_all_content.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/usermanage.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 673180c..9721f3b 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -533,7 +533,7 @@ ifdef(`distro_redhat',`
>  ')
>  
>  optional_policy(`
> -	apache_manage_all_user_content(useradd_t)
> +	apache_manage_all_content(useradd_t)
>  ')
>  
>  optional_policy(`

I disagree with this change.  Useradd should only be creating user content, e.g. ~/public_html.  This change would provide too much access.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 1/8] Postgresql 9.2 connects to its unix stream socket

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> When starting postgresql, it fails with the (little saying) error message:
> pg_ctl: could not start server
> 
> In the denials, we notice:
> Nov 24 10:41:52 lerya kernel: [1628900.540506] type=1400
> audit(1353750112.021:10143): avc:  denied  { connectto } for  pid=20481
> comm="pg_ctl" path="/run/postgresql/.s.PGSQL.5432" ipaddr=...
> scontext=system_u:system_r:postgresql_t tcontext=system_u:system_r:postgresql_t
> tclass=unix_stream_socket
> 
> Hence, allow postgresql to connect to its own stream socket.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/services/postgresql.te |    2 +-
>  1 files changed, 1 insertions(+), 1 deletions(-)
> 
> diff --git a/policy/modules/services/postgresql.te b/policy/modules/services/postgresql.te
> index 0210aef..94b1a57 100644
> --- a/policy/modules/services/postgresql.te
> +++ b/policy/modules/services/postgresql.te
> @@ -234,7 +234,7 @@ allow postgresql_t self:shm create_shm_perms;
>  allow postgresql_t self:tcp_socket create_stream_socket_perms;
>  allow postgresql_t self:udp_socket create_stream_socket_perms;
>  allow postgresql_t self:unix_dgram_socket create_socket_perms;
> -allow postgresql_t self:unix_stream_socket create_stream_socket_perms;
> +allow postgresql_t self:unix_stream_socket { create_stream_socket_perms connectto };
>  allow postgresql_t self:netlink_selinux_socket create_socket_perms;
>  tunable_policy(`sepgsql_transmit_client_label',`
>  	allow postgresql_t self:process { setsockcreate };
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 2/8] lvscan creates the /run/lock/lvm directory if nonexisting (v2)

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> If the /run/lock/lvm directory doesn't exist yet, running any of the LVM tools
> (like lvscan) will create this directory. Introduce a named file transition for
> the lock location when a directory named "lvm" is created and grant the
> necessary rights to create the directory.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/lvm.te |    2 ++
>  1 files changed, 2 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index f8eeecd..a712d85 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -192,7 +192,9 @@ can_exec(lvm_t, lvm_exec_t)
>  
>  # Creating lock files
>  manage_files_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
> +create_dirs_pattern(lvm_t, lvm_lock_t, lvm_lock_t)
>  files_lock_filetrans(lvm_t, lvm_lock_t, file)
> +files_lock_filetrans(lvm_t, lvm_lock_t, dir, "lvm")
>  
>  manage_dirs_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
>  manage_files_pattern(lvm_t, lvm_var_lib_t, lvm_var_lib_t)
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 3/8] Allow syslogger to manage cron log files (v2)

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> Some cron daemons, including vixie-cron, support using the system logger for
> handling their logging events. Hence we allow syslogd_t to manage the cron logs,
> and put a file transition in place for the system logger when it creates the
> cron.log file.
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/logging.te |    5 +++++
>  1 files changed, 5 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/logging.te b/policy/modules/system/logging.te
> index 09b9a31..c75cd96 100644
> --- a/policy/modules/system/logging.te
> +++ b/policy/modules/system/logging.te
> @@ -490,6 +490,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	cron_manage_log_files(syslogd_t)
> +	cron_generic_log_filetrans_log(syslogd_t, file, "cron.log")
> +')
> +
> +optional_policy(`
>  	inn_manage_log(syslogd_t)
>  	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.crit")
>  	inn_generic_log_filetrans_innd_log(syslogd_t, file, "news.err")
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 6/8] Allow initrc_t to read stunnel configuration

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> The stunnel init script reads the stunnel configuration to find out where to
> store and check for the PID file
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/system/init.te |    4 ++++
>  1 files changed, 4 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 5f2a36a..a8f385b 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -837,6 +837,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	stunnel_read_config(initrc_t)
> +')
> +
> +optional_policy(`
>  	sysnet_read_dhcpc_state(initrc_t)
>  ')

Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 8/8] Introduce exec-check interfaces for passwd binaries and useradd binaries

[Christopher J. PeBenito]

On 12/17/12 04:42, Sven Vermeulen wrote:
> 
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
>  policy/modules/admin/usermanage.if |   36 ++++++++++++++++++++++++++++++++++++
>  1 files changed, 36 insertions(+), 0 deletions(-)
> 
> diff --git a/policy/modules/admin/usermanage.if b/policy/modules/admin/usermanage.if
> index 98b8b2d..99e3903 100644
> --- a/policy/modules/admin/usermanage.if
> +++ b/policy/modules/admin/usermanage.if
> @@ -140,6 +140,24 @@ interface(`usermanage_kill_passwd',`
>  
>  ########################################
>  ## <summary>
> +##	Check if the passwd binary is executable.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`usermanage_check_exec_passwd',`
> +	gen_require(`
> +		type passwd_exec_t;
> +	')
> +
> +	allow $1 passwd_exec_t:file { execute getattr_file_perms };
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute passwd in the passwd domain, and
>  ##	allow the specified role the passwd domain.
>  ## </summary>
> @@ -253,6 +271,24 @@ interface(`usermanage_domtrans_useradd',`
>  
>  ########################################
>  ## <summary>
> +##	Check if the useradd binaries are executable.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`usermanage_check_exec_useradd',`
> +	gen_require(`
> +		type useradd_exec_t;
> +	')
> +
> +	allow $1 useradd_exec_t:file { execute getattr_file_perms };
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute useradd in the useradd domain, and
>  ##	allow the specified role the useradd domain.
>  ## </summary>
 
Merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Sven Vermeulen]

On Thu, Jan 03, 2013 at 10:13:28AM -0500, Christopher J. PeBenito wrote:
> On 12/17/12 04:42, Sven Vermeulen wrote:
> > The apache_manage_all_user_content interface has been deprecated and is now
> > pointing towards apache_manage_all_content.
[...]
> >  optional_policy(`
> > -	apache_manage_all_user_content(useradd_t)
> > +	apache_manage_all_content(useradd_t)
> >  ')
> >  
> >  optional_policy(`
> 
> I disagree with this change.  Useradd should only be creating user content, e.g.
> ~/public_html.  This change would provide too much access.

You misunderstood me (or I expressed myself badly ;-)

This is currently the definition of apache_manage_all_user_content:

#v+
interface(`apache_manage_all_user_content',`
        refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
        apache_manage_all_content($1)
')
#v-

All I did in the patch was replace the call to the (deprecated) function
towards the newly pointed function, so that we don't get a deprecation
notice at build time anymore.

Wkr,
	Sven Vermeulen

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Christopher J. PeBenito]

On 01/03/13 11:12, Sven Vermeulen wrote:
> On Thu, Jan 03, 2013 at 10:13:28AM -0500, Christopher J. PeBenito wrote:
>> On 12/17/12 04:42, Sven Vermeulen wrote:
>>> The apache_manage_all_user_content interface has been deprecated and is now
>>> pointing towards apache_manage_all_content.
> [...]
>>>  optional_policy(`
>>> -	apache_manage_all_user_content(useradd_t)
>>> +	apache_manage_all_content(useradd_t)
>>>  ')
>>>  
>>>  optional_policy(`
>>
>> I disagree with this change.  Useradd should only be creating user content, e.g.
>> ~/public_html.  This change would provide too much access.
> 
> You misunderstood me (or I expressed myself badly ;-)
> 
> This is currently the definition of apache_manage_all_user_content:
> 
> #v+
> interface(`apache_manage_all_user_content',`
>         refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
>         apache_manage_all_content($1)
> ')
> #v-
> 
> All I did in the patch was replace the call to the (deprecated) function
> towards the newly pointed function, so that we don't get a deprecation
> notice at build time anymore.

I didn't misunderstand.  I think the interface should be un-deprecated.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Christopher J. PeBenito]

On 01/03/13 11:24, Christopher J. PeBenito wrote:
> On 01/03/13 11:12, Sven Vermeulen wrote:
>> On Thu, Jan 03, 2013 at 10:13:28AM -0500, Christopher J. PeBenito wrote:
>>> On 12/17/12 04:42, Sven Vermeulen wrote:
>>>> The apache_manage_all_user_content interface has been deprecated and is now
>>>> pointing towards apache_manage_all_content.
>> [...]
>>>>  optional_policy(`
>>>> -	apache_manage_all_user_content(useradd_t)
>>>> +	apache_manage_all_content(useradd_t)
>>>>  ')
>>>>  
>>>>  optional_policy(`
>>>
>>> I disagree with this change.  Useradd should only be creating user content, e.g.
>>> ~/public_html.  This change would provide too much access.
>>
>> You misunderstood me (or I expressed myself badly ;-)
>>
>> This is currently the definition of apache_manage_all_user_content:
>>
>> #v+
>> interface(`apache_manage_all_user_content',`
>>         refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
>>         apache_manage_all_content($1)
>> ')
>> #v-
>>
>> All I did in the patch was replace the call to the (deprecated) function
>> towards the newly pointed function, so that we don't get a deprecation
>> notice at build time anymore.
> 
> I didn't misunderstand.  I think the interface should be un-deprecated.

To further clarify, I think the interface should be un-deprecated and the original implementation restored.  User content is the stuff in ~/public_html.  Its not interchangeable with all content, which includes the static web pages and content from web apps.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Dominick Grift]

On Thu, 2013-01-03 at 11:27 -0500, Christopher J. PeBenito wrote:
> On 01/03/13 11:24, Christopher J. PeBenito wrote:
> > On 01/03/13 11:12, Sven Vermeulen wrote:
> >> On Thu, Jan 03, 2013 at 10:13:28AM -0500, Christopher J. PeBenito wrote:
> >>> On 12/17/12 04:42, Sven Vermeulen wrote:
> >>>> The apache_manage_all_user_content interface has been deprecated and is now
> >>>> pointing towards apache_manage_all_content.
> >> [...]
> >>>>  optional_policy(`
> >>>> -	apache_manage_all_user_content(useradd_t)
> >>>> +	apache_manage_all_content(useradd_t)
> >>>>  ')
> >>>>  
> >>>>  optional_policy(`
> >>>
> >>> I disagree with this change.  Useradd should only be creating user content, e.g.
> >>> ~/public_html.  This change would provide too much access.
> >>
> >> You misunderstood me (or I expressed myself badly ;-)
> >>
> >> This is currently the definition of apache_manage_all_user_content:
> >>
> >> #v+
> >> interface(`apache_manage_all_user_content',`
> >>         refpolicywarn(`$0($*) has been deprecated, use apache_manage_all_content() instead.')
> >>         apache_manage_all_content($1)
> >> ')
> >> #v-
> >>
> >> All I did in the patch was replace the call to the (deprecated) function
> >> towards the newly pointed function, so that we don't get a deprecation
> >> notice at build time anymore.
> > 
> > I didn't misunderstand.  I think the interface should be un-deprecated.
> 
> To further clarify, I think the interface should be un-deprecated and the original implementation restored.  User content is the stuff in ~/public_html.  Its not interchangeable with all content, which includes the static web pages and content from web apps.
> 

Yes, i guess i misunderstood this interface. Sven: will you create a
patch for this or do i have to change it?

[refpolicy] [PATCH 4/8] Update towards apache_manage_all_content

[Sven Vermeulen]

On Fri, Jan 11, 2013 at 07:29:23PM +0100, Dominick Grift wrote:
> > To further clarify, I think the interface should be un-deprecated and the original implementation restored.  User content is the stuff in ~/public_html.  Its not interchangeable with all content, which includes the static web pages and content from web apps.
> > 
> 
> Yes, i guess i misunderstood this interface. Sven: will you create a
> patch for this or do i have to change it?

I can, but don't expect it this week - swamped with work right now. But I
don't mind taking this on me if you have the patience ;-)

Wkr,
	Sven Vermeulen