[refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor

From: russell@coker.com.au (Russell Coker)
To: refpolicy@oss.tresys.com
Subject: [refpolicy]  [PATCH] tiny patches for fetchmail, mysql, and tor
Date: Mon, 20 Feb 2017 16:47:08 +1100	[thread overview]
Message-ID: <20170220054708.hwu4vkj5utyk5jly@athena.coker.com.au> (raw)

All obvious and trivial patches.  Please apply.

Index: refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
===================================================================

--- refpolicy-2.20170220.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
 setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
 logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
 
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
 allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
 mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
 
Index: refpolicy-2.20170220/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20170220/policy/modules/contrib/mysql.te
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
 allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
 allow mysqld_t self:fifo_file rw_fifo_file_perms;
 allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
 allow mysqld_t self:tcp_socket { accept listen };
 
 manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var
 kernel_read_kernel_sysctls(mysqld_t)
 kernel_read_network_state(mysqld_t)
 kernel_read_system_state(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
 
 corenet_all_recvfrom_unlabeled(mysqld_t)
 corenet_all_recvfrom_netlabel(mysqld_t)
@@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { ch
 allow mysqld_safe_t self:process { setsched getsched setrlimit };
 allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
 
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { signull sigkill };
 
 read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
 manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t
 corecmd_exec_bin(mysqld_safe_t)
 corecmd_exec_shell(mysqld_safe_t)
 
-dev_list_sysfs(mysqld_safe_t)
+dev_read_sysfs(mysqld_safe_t)
 
 domain_read_all_domains_state(mysqld_safe_t)
 
Index: refpolicy-2.20170220/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170220/policy/modules/contrib/tor.te
@@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir,
 # Local policy
 #
 
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
 allow tor_t self:process signal;
 allow tor_t self:fifo_file rw_fifo_file_perms;
 allow tor_t self:unix_stream_socket { accept listen };
@@ -62,6 +62,7 @@ create_files_pattern(tor_t, tor_var_log_
 setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
 logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+fs_search_tmpfs(tor_t)
 
 manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
 manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
