[refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface

[refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface

[Jason Zaman]

Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
---
 rsync.if | 2 --
 1 file changed, 2 deletions(-)

diff --git a/rsync.if b/rsync.if
index e916de8..c7b19aa 100644
--- a/rsync.if
+++ b/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
 
 	files_search_pids($1)
 	admin_pattern($1, rsync_var_run_t)
-
-	rsync_run($1, $2)
 ')
-- 
2.4.6

[refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets

[Jason Zaman]

git_session_t already has these permissions but they are missing on
git_system_t. Instead add the perms on the git_daemon attribute which
covers both system and session daemons.
---
 git.te | 3 +--
 1 file changed, 1 insertion(+), 2 deletions(-)

diff --git a/git.te b/git.te
index 1ca8c24..517d513 100644
--- a/git.te
+++ b/git.te
@@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
 # Session policy
 #
 
-allow git_session_t self:tcp_socket { accept listen };
-
 userdom_search_user_home_dirs(git_session_t)
 
 corenet_all_recvfrom_netlabel(git_session_t)
@@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
 #
 
 allow git_daemon self:fifo_file rw_fifo_file_perms;
+allow git_daemon self:tcp_socket { accept listen };
 
 list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
 read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
-- 
2.4.6

[refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes

[Jason Zaman]

---
 hadoop.if | 13 +++++++++++--
 1 file changed, 11 insertions(+), 2 deletions(-)

diff --git a/hadoop.if b/hadoop.if
index a0a819f..5908119 100644
--- a/hadoop.if
+++ b/hadoop.if
@@ -426,7 +426,6 @@ interface(`hadoop_admin',`
 		attribute hadoop_domain;
 		attribute hadoop_initrc_domain;
 
-		attribute hadoop_init_script_file;
 		attribute hadoop_pid_file;
 		attribute hadoop_lock_file;
 		attribute hadoop_log_file;
@@ -436,12 +435,22 @@ interface(`hadoop_admin',`
 		type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
 		type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
 		type zookeeper_server_var_t;
+
+		type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
+		type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
+		type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
+		type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
+		type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
 	')
 
 	allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
 
-	init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
+	init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
+	init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
+	init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
+	init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
+	init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
 
 	files_search_etc($1)
 	admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
-- 
2.4.6

[refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface

[Dominick Grift]

On Mon, Aug 24, 2015 at 11:10:07PM +0800, Jason Zaman wrote:
> Admining rsync does not require running it in the rsync_t domain and
> this causes problems for backups and the like which would originally run
> in the user's domain now run in rsync_t.

Thanks, merged

> ---
>  rsync.if | 2 --
>  1 file changed, 2 deletions(-)
> 
> diff --git a/rsync.if b/rsync.if
> index e916de8..c7b19aa 100644
> --- a/rsync.if
> +++ b/rsync.if
> @@ -276,6 +276,4 @@ interface(`rsync_admin',`
>  
>  	files_search_pids($1)
>  	admin_pattern($1, rsync_var_run_t)
> -
> -	rsync_run($1, $2)
>  ')
> -- 
> 2.4.6
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/0dcddf4e/attachment.bin 

[refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets

[Dominick Grift]

On Mon, Aug 24, 2015 at 11:10:08PM +0800, Jason Zaman wrote:
> git_session_t already has these permissions but they are missing on
> git_system_t. Instead add the perms on the git_daemon attribute which
> covers both system and session daemons.

By default git-daemon as a system service is configured with xinetd. The
way xinetd works is that it basiscally handles networking on git daemons
behalf. I thought i did add support to run git-daemon as a sysv init
system service, and i did but this part was missing indeed.

Thanks, merged.

> ---
>  git.te | 3 +--
>  1 file changed, 1 insertion(+), 2 deletions(-)
> 
> diff --git a/git.te b/git.te
> index 1ca8c24..517d513 100644
> --- a/git.te
> +++ b/git.te
> @@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t)
>  # Session policy
>  #
>  
> -allow git_session_t self:tcp_socket { accept listen };
> -
>  userdom_search_user_home_dirs(git_session_t)
>  
>  corenet_all_recvfrom_netlabel(git_session_t)
> @@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',`
>  #
>  
>  allow git_daemon self:fifo_file rw_fifo_file_perms;
> +allow git_daemon self:tcp_socket { accept listen };
>  
>  list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t)
>  read_files_pattern(git_daemon, git_user_content_t, git_user_content_t)
> -- 
> 2.4.6
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/c270b7c8/attachment.bin 

[refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes

[Dominick Grift]

On Mon, Aug 24, 2015 at 11:10:09PM +0800, Jason Zaman wrote:
> ---
>  hadoop.if | 13 +++++++++++--
>  1 file changed, 11 insertions(+), 2 deletions(-)

Yes that is an unfortunate side effect. CIL can deal with this.

Merged, thanks

> 
> diff --git a/hadoop.if b/hadoop.if
> index a0a819f..5908119 100644
> --- a/hadoop.if
> +++ b/hadoop.if
> @@ -426,7 +426,6 @@ interface(`hadoop_admin',`
>  		attribute hadoop_domain;
>  		attribute hadoop_initrc_domain;
>  
> -		attribute hadoop_init_script_file;
>  		attribute hadoop_pid_file;
>  		attribute hadoop_lock_file;
>  		attribute hadoop_log_file;
> @@ -436,12 +435,22 @@ interface(`hadoop_admin',`
>  		type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t;
>  		type zookeeper_t, zookeeper_etc_t, zookeeper_server_t;
>  		type zookeeper_server_var_t;
> +
> +		type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t;
> +		type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t;
> +		type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t;
> +		type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t;
> +		type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t;
>  	')
>  
>  	allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms };
>  	ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t })
>  
> -	init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file)
> +	init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t)
> +	init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t)
> +	init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t)
> +	init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t)
> +	init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t)
>  
>  	files_search_etc($1)
>  	admin_pattern($1, { hadoop_etc_t zookeeper_etc_t })
> -- 
> 2.4.6
> 
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy

-- 
02DFF788
4D30 903A 1CF3 B756 FB48  1514 3148 83A2 02DF F788
http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/e307f8c4/attachment.bin