[refpolicy] [PATCH] little misc patches

[refpolicy] [PATCH] little misc patches

[Russell Coker]

This is a bunch of minor fixes that I split out from another patch which also
has some of the interfaces needed for the systemd core patch I sent a few
days ago (which is why that one didn't work).

After we get this one done I'll create a patch set for systemd that should
make pebenito happy.  ;)

Fix some minor labelling issues for init.

Make lots of things optional_policy to allow more modular builds.

Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd
as well as upstart.

Allow kerneloops_t to read /proc/cpuinfo etc

make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
question


Index: refpolicy-2.20170212/policy/modules/system/init.fc
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.fc
+++ refpolicy-2.20170212/policy/modules/system/init.fc
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
 /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
 ')
 
+/usr/lib/systemd/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
 
 /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
@@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
 /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
 /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
 /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
+/usr/sbin/startx	--	gen_context(system_u:object_r:initrc_exec_t,s0)
+/usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
 
 ifdef(`distro_gentoo', `
 /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
Index: refpolicy-2.20170212/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/logging.te
+++ refpolicy-2.20170212/policy/modules/system/logging.te
@@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
 
 init_dontaudit_use_fds(auditctl_t)
 
-locallogin_dontaudit_use_fds(auditctl_t)
+optional_policy(`
+	locallogin_dontaudit_use_fds(auditctl_t)
+')
 
 logging_set_audit_parameters(auditctl_t)
 logging_send_syslog_msg(auditctl_t)
@@ -565,6 +567,8 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(syslogd_t)
+	# for systemd-journal to read seat data from /run/udev/data
+	udev_read_pid_files(syslogd_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170212/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20170212/policy/modules/system/lvm.te
@@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
 
+# for systemd-cryptsetup
+dev_write_kmsg(lvm_t)
+
 logging_send_syslog_msg(lvm_t)
 
 miscfiles_read_localization(lvm_t)
Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te
@@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond
 files_read_non_auth_files(restorecond_t)
 auth_use_nsswitch(restorecond_t)
 
-locallogin_dontaudit_use_fds(restorecond_t)
+optional_policy(`
+	locallogin_dontaudit_use_fds(restorecond_t)
+')
 
 logging_send_syslog_msg(restorecond_t)
 
@@ -482,7 +484,9 @@ term_use_all_terms(semanage_t)
 # Running genhomedircon requires this for finding all users
 auth_use_nsswitch(semanage_t)
 
-locallogin_use_fds(semanage_t)
+optional_policy(`
+	locallogin_use_fds(semanage_t)
+')
 
 logging_send_syslog_msg(semanage_t)
 
Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te
@@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t)
 
 miscfiles_read_localization(dhcpc_t)
 
-modutils_run_insmod(dhcpc_t, dhcpc_roles)
+optional_policy(`
+	modutils_run_insmod(dhcpc_t, dhcpc_roles)
+')
 
 sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
 
@@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t)
 
 miscfiles_read_localization(ifconfig_t)
 
-modutils_domtrans_insmod(ifconfig_t)
+optional_policy(`
+	modutils_domtrans_insmod(ifconfig_t)
+')
 
 seutil_use_runinit_fds(ifconfig_t)
 
Index: refpolicy-2.20170212/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/init.te
+++ refpolicy-2.20170212/policy/modules/system/init.te
@@ -304,10 +304,6 @@ ifdef(`init_systemd',`
 ',`
 	tunable_policy(`init_upstart',`
 		corecmd_shell_domtrans(init_t, initrc_t)
-	',`
-		# Run the shell in the sysadm role for single-user mode.
-		# causes problems with upstart
-		sysadm_shell_domtrans(init_t)
 	')
 ')
 
@@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t)
 # slapd needs to read cert files from its initscript
 miscfiles_read_generic_certs(initrc_t)
 
-modutils_read_module_config(initrc_t)
-modutils_domtrans_insmod(initrc_t)
+optional_policy(`
+	modutils_read_module_config(initrc_t)
+	modutils_domtrans_insmod(initrc_t)
+')
 
 seutil_read_config(initrc_t)
 
Index: refpolicy-2.20170212/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/udev.te
+++ refpolicy-2.20170212/policy/modules/system/udev.te
@@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con
 allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
 allow udev_t self:netlink_generic_socket create_socket_perms;
 allow udev_t self:rawip_socket create_socket_perms;
+fs_read_cgroup_files(udev_t)
 
 allow udev_t udev_exec_t:file write;
 can_exec(udev_t, udev_exec_t)
@@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run
 kernel_load_module(udev_t)
 kernel_read_system_state(udev_t)
 kernel_request_load_module(udev_t)
+# systemd-udevd needs kernel_load_module
+kernel_load_module(udev_t)
 kernel_getattr_core_if(udev_t)
 kernel_use_fds(udev_t)
 kernel_read_device_sysctls(udev_t)
Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
@@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
 files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
 
 kernel_read_ring_buffer(kerneloops_t)
+kernel_read_system_state(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy-2.20170212/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20170212/policy/modules/system/locallogin.te
@@ -62,6 +62,8 @@ kernel_link_key(local_login_t)
 
 corecmd_list_bin(local_login_t)
 corecmd_read_bin_symlinks(local_login_t)
+# for /bin/uname
+corecmd_exec_bin(local_login_t)
 # cjp: these are probably not needed:
 corecmd_read_bin_files(local_login_t)
 corecmd_read_bin_pipes(local_login_t)
Index: refpolicy-2.20170212/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20170212.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20170212/policy/modules/services/xserver.if
@@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs'
 
 ########################################
 ## <summary>
-##	Create a named socket in a XDM
+##	Create and unlink a named socket in a XDM
 ##	temporary directory.
 ## </summary>
 ## <param name="domain">
@@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
 	files_search_tmp($1)
 	allow $1 xdm_tmp_t:dir list_dir_perms;
 	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
+	allow $1 xdm_tmp_t:sock_file unlink;
 ')
 
 ########################################

[refpolicy] [PATCH] little misc patches

[Chris PeBenito]

On 02/12/17 06:38, Russell Coker via refpolicy wrote:
> This is a bunch of minor fixes that I split out from another patch which also
> has some of the interfaces needed for the systemd core patch I sent a few
> days ago (which is why that one didn't work).
>
> After we get this one done I'll create a patch set for systemd that should
> make pebenito happy.  ;)
>
> Fix some minor labelling issues for init.
>
> Make lots of things optional_policy to allow more modular builds.
>
> Remove the sysadm_shell_domtrans(init_t) line, it causes problems with systemd
> as well as upstart.
>
> Allow kerneloops_t to read /proc/cpuinfo etc
>
> make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
> question
>
>
> Index: refpolicy-2.20170212/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170212/policy/modules/system/init.fc
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
>  /usr/lib/rc/init\.d(/.*)?		gen_context(system_u:object_r:initrc_state_t,s0)
>  ')
>
> +/usr/lib/systemd/[^/]*	--	gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/lib/systemd/system-generators/[^/]* -- gen_context(system_u:object_r:init_exec_t,s0)
>
>  /usr/libexec/dcc/start-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --	gen_context(system_u:object_r:initrc_exec_t,s0)
> @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
>  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
>  /usr/sbin/open_init_pty	--	gen_context(system_u:object_r:initrc_exec_t,s0)
>  /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> +/usr/sbin/startx	--	gen_context(system_u:object_r:initrc_exec_t,s0)

This doesn't seem right.  Then if you don't have XDM, regular users 
can't run startx.


> +/usr/bin/systemd	--	gen_context(system_u:object_r:init_exec_t,s0)
>
>  ifdef(`distro_gentoo', `
>  /usr/sbin/rc		--	gen_context(system_u:object_r:rc_exec_t,s0)
> Index: refpolicy-2.20170212/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20170212/policy/modules/system/logging.te
> @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
>
>  init_dontaudit_use_fds(auditctl_t)
>
> -locallogin_dontaudit_use_fds(auditctl_t)
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(auditctl_t)
> +')

This new optional should be moved down with the other auditctl_t ones, 
above the mta_send_mail().

>  logging_set_audit_parameters(auditctl_t)
>  logging_send_syslog_msg(auditctl_t)
> @@ -565,6 +567,8 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(syslogd_t)
> +	# for systemd-journal to read seat data from /run/udev/data
> +	udev_read_pid_files(syslogd_t)
>  ')
>
>  optional_policy(`
> Index: refpolicy-2.20170212/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20170212/policy/modules/system/lvm.te
> @@ -301,6 +301,9 @@ init_dontaudit_getattr_initctl(lvm_t)
>  init_use_script_ptys(lvm_t)
>  init_read_script_state(lvm_t)
>
> +# for systemd-cryptsetup
> +dev_write_kmsg(lvm_t)
> +
>  logging_send_syslog_msg(lvm_t)
>
>  miscfiles_read_localization(lvm_t)
> Index: refpolicy-2.20170212/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20170212/policy/modules/system/selinuxutil.te
> @@ -343,7 +343,9 @@ files_relabel_non_auth_files(restorecond
>  files_read_non_auth_files(restorecond_t)
>  auth_use_nsswitch(restorecond_t)
>
> -locallogin_dontaudit_use_fds(restorecond_t)
> +optional_policy(`
> +	locallogin_dontaudit_use_fds(restorecond_t)
> +')

This optional should move down to the above the optional with 
rpm_use_script_fds().


>  logging_send_syslog_msg(restorecond_t)
>
> @@ -482,7 +484,9 @@ term_use_all_terms(semanage_t)
>  # Running genhomedircon requires this for finding all users
>  auth_use_nsswitch(semanage_t)
>
> -locallogin_use_fds(semanage_t)
> +optional_policy(`
> +	locallogin_use_fds(semanage_t)
> +')

This new optional should go down after the distro_ubuntu block.

>  logging_send_syslog_msg(semanage_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20170212/policy/modules/system/sysnetwork.te
> @@ -145,7 +145,9 @@ logging_send_syslog_msg(dhcpc_t)
>
>  miscfiles_read_localization(dhcpc_t)
>
> -modutils_run_insmod(dhcpc_t, dhcpc_roles)
> +optional_policy(`
> +	modutils_run_insmod(dhcpc_t, dhcpc_roles)
> +')

This new optional should go down above the netutil_run*(dhcpc_t) 
optional block.


>  sysnet_run_ifconfig(dhcpc_t, dhcpc_roles)
>
> @@ -333,7 +335,9 @@ logging_send_syslog_msg(ifconfig_t)
>
>  miscfiles_read_localization(ifconfig_t)
>
> -modutils_domtrans_insmod(ifconfig_t)
> +optional_policy(`
> +	modutils_domtrans_insmod(ifconfig_t)
> +')

This new optional should go down after the ipsec_*() optional block.

>  seutil_use_runinit_fds(ifconfig_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170212/policy/modules/system/init.te
> @@ -304,10 +304,6 @@ ifdef(`init_systemd',`
>  ',`
>  	tunable_policy(`init_upstart',`
>  		corecmd_shell_domtrans(init_t, initrc_t)
> -	',`
> -		# Run the shell in the sysadm role for single-user mode.
> -		# causes problems with upstart
> -		sysadm_shell_domtrans(init_t)

I don't think we want to remove this, as it will impact sysvinit, which 
Gentoo still uses.


>  	')
>  ')
>
> @@ -561,8 +557,10 @@ miscfiles_read_localization(initrc_t)
>  # slapd needs to read cert files from its initscript
>  miscfiles_read_generic_certs(initrc_t)
>
> -modutils_read_module_config(initrc_t)
> -modutils_domtrans_insmod(initrc_t)
> +optional_policy(`
> +	modutils_read_module_config(initrc_t)
> +	modutils_domtrans_insmod(initrc_t)
> +')

This new optional should much farther down, between the mailman and mta 
optional blocks.

>  seutil_read_config(initrc_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20170212/policy/modules/system/udev.te
> @@ -56,6 +56,7 @@ allow udev_t self:unix_stream_socket con
>  allow udev_t self:netlink_kobject_uevent_socket create_socket_perms;
>  allow udev_t self:netlink_generic_socket create_socket_perms;
>  allow udev_t self:rawip_socket create_socket_perms;
> +fs_read_cgroup_files(udev_t)

The should go down with the other fs_* calls.

>  allow udev_t udev_exec_t:file write;
>  can_exec(udev_t, udev_exec_t)
> @@ -82,6 +83,8 @@ files_pid_filetrans(udev_t, udev_var_run
>  kernel_load_module(udev_t)
>  kernel_read_system_state(udev_t)
>  kernel_request_load_module(udev_t)
> +# systemd-udevd needs kernel_load_module
> +kernel_load_module(udev_t)

This rule is already in, at the top of the hunk actually :)


>  kernel_getattr_core_if(udev_t)
>  kernel_use_fds(udev_t)
>  kernel_read_device_sysctls(udev_t)
> Index: refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170212/policy/modules/contrib/kerneloops.te
> @@ -28,6 +28,7 @@ manage_files_pattern(kerneloops_t, kerne
>  files_tmp_filetrans(kerneloops_t, kerneloops_tmp_t, file)
>
>  kernel_read_ring_buffer(kerneloops_t)
> +kernel_read_system_state(kerneloops_t)
>
>  domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170212/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20170212/policy/modules/system/locallogin.te
> @@ -62,6 +62,8 @@ kernel_link_key(local_login_t)
>
>  corecmd_list_bin(local_login_t)
>  corecmd_read_bin_symlinks(local_login_t)
> +# for /bin/uname
> +corecmd_exec_bin(local_login_t)

Why would /bin/login run uname?


>  # cjp: these are probably not needed:
>  corecmd_read_bin_files(local_login_t)
>  corecmd_read_bin_pipes(local_login_t)
> Index: refpolicy-2.20170212/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20170212/policy/modules/services/xserver.if
> @@ -913,7 +913,7 @@ interface(`xserver_setattr_xdm_tmp_dirs'
>
>  ########################################
>  ## <summary>
> -##	Create a named socket in a XDM
> +##	Create and unlink a named socket in a XDM
>  ##	temporary directory.
>  ## </summary>
>  ## <param name="domain">
> @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
>  	files_search_tmp($1)
>  	allow $1 xdm_tmp_t:dir list_dir_perms;
>  	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
> +	allow $1 xdm_tmp_t:sock_file unlink;

This should be a new interface, as callers won't expect the unlink 
access from a "create" interface.


-- 
Chris PeBenito

[refpolicy] [PATCH] little misc patches

[Nicolas Iooss]

On Sun, Feb 12, 2017 at 12:38 PM, Russell Coker via refpolicy <
refpolicy@oss.tresys.com> wrote:

> This is a bunch of minor fixes that I split out from another patch which
> also
> has some of the interfaces needed for the systemd core patch I sent a few
> days ago (which is why that one didn't work).
>
> After we get this one done I'll create a patch set for systemd that should
> make pebenito happy.  ;)
>
> Fix some minor labelling issues for init.
>
> Make lots of things optional_policy to allow more modular builds.
>
> Remove the sysadm_shell_domtrans(init_t) line, it causes problems with
> systemd
> as well as upstart.
>
> Allow kerneloops_t to read /proc/cpuinfo etc
>
> make xserver_create_xdm_tmp_socket() also allow unlinking the socket in
> question
>
>
> Index: refpolicy-2.20170212/policy/modules/system/init.fc
> ===================================================================
> --- refpolicy-2.20170212.orig/policy/modules/system/init.fc
> +++ refpolicy-2.20170212/policy/modules/system/init.fc
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
>  /usr/lib/rc/init\.d(/.*)?              gen_context(system_u:object_r:
> initrc_state_t,s0)
>  ')
>
> +/usr/lib/systemd/[^/]* --      gen_context(system_u:object_r:
> init_exec_t,s0)
> +/usr/lib/systemd/system-generators/[^/]* --
> gen_context(system_u:object_r:init_exec_t,s0)
>
>  /usr/libexec/dcc/start-.* --   gen_context(system_u:object_r:
> initrc_exec_t,s0)
>  /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:
> initrc_exec_t,s0)
>

Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of
bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t
and /usr/lib/systemd/ contains other programs such as systemd services
(which contexts are defined in policy/modules/system/systemd.fc).

Nicolas
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20170212/a47e5c65/attachment.html 

[refpolicy] [PATCH] little misc patches

[Russell Coker]

On Mon, 13 Feb 2017 06:25:20 AM Chris PeBenito via refpolicy wrote:
> > @@ -42,6 +44,8 @@ ifdef(`distro_gentoo', `
> > 
> >  /usr/sbin/init(ng)?	--	gen_context(system_u:object_r:init_exec_t,s0)
> >  /usr/sbin/open_init_pty	--	
gen_context(system_u:object_r:initrc_exec_t,s
> >  0) /usr/sbin/upstart	--	gen_context(system_u:object_r:init_exec_t,s0)
> > 
> > +/usr/sbin/startx	--	
gen_context(system_u:object_r:initrc_exec_t,s0)
> 
> This doesn't seem right.  Then if you don't have XDM, regular users
> can't run startx.

Can they run startx anyway?  I don't expect it to work but haven't tested it.  
Anyway I removed that from my tree as it probably wouldn't work either.  ;)

> > --- refpolicy-2.20170212.orig/policy/modules/system/logging.te
> > +++ refpolicy-2.20170212/policy/modules/system/logging.te
> > @@ -124,7 +124,9 @@ term_use_all_terms(auditctl_t)
> > 
> >  init_dontaudit_use_fds(auditctl_t)
> > 
> > -locallogin_dontaudit_use_fds(auditctl_t)
> > +optional_policy(`
> > +	locallogin_dontaudit_use_fds(auditctl_t)
> > +')
> 
> This new optional should be moved down with the other auditctl_t ones,
> above the mta_send_mail().

That's an auditd_t optional.  But in any case I moved the auditctl_t one to 
the bottom of it's section.

> > -locallogin_dontaudit_use_fds(restorecond_t)
> > +optional_policy(`
> > +	locallogin_dontaudit_use_fds(restorecond_t)
> > +')
> 
> This optional should move down to the above the optional with
> rpm_use_script_fds().

OK.

> > -locallogin_use_fds(semanage_t)
> > +optional_policy(`
> > +	locallogin_use_fds(semanage_t)
> > +')
> 
> This new optional should go down after the distro_ubuntu block.

OK.

> > -modutils_run_insmod(dhcpc_t, dhcpc_roles)
> > +optional_policy(`
> > +	modutils_run_insmod(dhcpc_t, dhcpc_roles)
> > +')
> 
> This new optional should go down above the netutil_run*(dhcpc_t)
> optional block.

OK.

> > -modutils_domtrans_insmod(ifconfig_t)
> > +optional_policy(`
> > +	modutils_domtrans_insmod(ifconfig_t)
> > +')
> 
> This new optional should go down after the ipsec_*() optional block.

OK.

> > -	',`
> > -		# Run the shell in the sysadm role for single-user mode.
> > -		# causes problems with upstart
> > -		sysadm_shell_domtrans(init_t)
> 
> I don't think we want to remove this, as it will impact sysvinit, which
> Gentoo still uses.

Does Gentoo have systemd working?

I've added ifndef(`distro_debian' around it.  That gives it clear function and 
clear intent for the next people who want to work on it.

> > -modutils_read_module_config(initrc_t)
> > -modutils_domtrans_insmod(initrc_t)
> > +optional_policy(`
> > +	modutils_read_module_config(initrc_t)
> > +	modutils_domtrans_insmod(initrc_t)
> > +')
> 
> This new optional should much farther down, between the mailman and mta
> optional blocks.

OK.

> > +fs_read_cgroup_files(udev_t)
> 
> The should go down with the other fs_* calls.

OK

> > +# systemd-udevd needs kernel_load_module
> > +kernel_load_module(udev_t)
> 
> This rule is already in, at the top of the hunk actually :)

OK.

> > +# for /bin/uname
> > +corecmd_exec_bin(local_login_t)
> 
> Why would /bin/login run uname?

I can't reproduce it at this time.  So I've removed it from my tree.
 
> > @@ -930,6 +930,7 @@ interface(`xserver_create_xdm_tmp_socket
> > 
> >  	files_search_tmp($1)
> >  	allow $1 xdm_tmp_t:dir list_dir_perms;
> >  	create_sock_files_pattern($1, xdm_tmp_t, xdm_tmp_t)
> > 
> > +	allow $1 xdm_tmp_t:sock_file unlink;
> 
> This should be a new interface, as callers won't expect the unlink
> access from a "create" interface.

I've added a new interface.  It has no callers yet as I didn't make a note of 
which domains needed to unlink it.  I'm sure I'll find some in the next few 
days.  ;)

I'll send a new patch in a few minutes.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] little misc patches

[Russell Coker]

On Mon, 13 Feb 2017 06:36:50 AM Nicolas Iooss via refpolicy wrote:
> > +/usr/lib/systemd/[^/]* --      gen_context(system_u:object_r:
> > init_exec_t,s0)
> > +/usr/lib/systemd/system-generators/[^/]* --
> > gen_context(system_u:object_r:init_exec_t,s0)
> >
> >  /usr/libexec/dcc/start-.* --   gen_context(system_u:object_r:
> > initrc_exec_t,s0)
> >
> >  /usr/libexec/dcc/stop-.* --    gen_context(system_u:object_r:
> > initrc_exec_t,s0)
> 
> Why is /usr/lib/systemd/[^/]* needed and labeled init_exec_t, instead of
> bin_t for example? /usr/lib/systemd/systemd is already labeled init_exec_t
> and /usr/lib/systemd/ contains other programs such as systemd services
> (which contexts are defined in policy/modules/system/systemd.fc).

I've removed that, it works well without it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/