* [refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor
@ 2017-02-20 5:47 Russell Coker
2017-02-20 15:27 ` Chris PeBenito
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2017-02-20 5:47 UTC (permalink / raw)
To: refpolicy
All obvious and trivial patches. Please apply.
Index: refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
@@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
+allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
Index: refpolicy-2.20170220/policy/modules/contrib/mysql.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/mysql.te
+++ refpolicy-2.20170220/policy/modules/contrib/mysql.te
@@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
-allow mysqld_t self:unix_stream_socket { accept listen };
+allow mysqld_t self:unix_stream_socket { connectto accept listen };
allow mysqld_t self:tcp_socket { accept listen };
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
@@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var
kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
+kernel_read_vm_sysctls(mysqld_t)
corenet_all_recvfrom_unlabeled(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
@@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { ch
allow mysqld_safe_t self:process { setsched getsched setrlimit };
allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
-allow mysqld_safe_t mysqld_t:process signull;
+allow mysqld_safe_t mysqld_t:process { signull sigkill };
read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
@@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t
corecmd_exec_bin(mysqld_safe_t)
corecmd_exec_shell(mysqld_safe_t)
-dev_list_sysfs(mysqld_safe_t)
+dev_read_sysfs(mysqld_safe_t)
domain_read_all_domains_state(mysqld_safe_t)
Index: refpolicy-2.20170220/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20170220.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20170220/policy/modules/contrib/tor.te
@@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir,
# Local policy
#
-allow tor_t self:capability { setgid setuid sys_tty_config };
+allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
allow tor_t self:process signal;
allow tor_t self:fifo_file rw_fifo_file_perms;
allow tor_t self:unix_stream_socket { accept listen };
@@ -62,6 +62,7 @@ create_files_pattern(tor_t, tor_var_log_
setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
+fs_search_tmpfs(tor_t)
manage_dirs_pattern(tor_t, tor_var_run_t, tor_var_run_t)
manage_files_pattern(tor_t, tor_var_run_t, tor_var_run_t)
^ permalink raw reply [flat|nested] 2+ messages in thread
* [refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor
2017-02-20 5:47 [refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor Russell Coker
@ 2017-02-20 15:27 ` Chris PeBenito
0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2017-02-20 15:27 UTC (permalink / raw)
To: refpolicy
On 02/20/17 00:47, Russell Coker via refpolicy wrote:
> All obvious and trivial patches. Please apply.
>
> Index: refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/fetchmail.te
> +++ refpolicy-2.20170220/policy/modules/contrib/fetchmail.te
> @@ -47,6 +47,7 @@ create_files_pattern(fetchmail_t, fetchm
> setattr_files_pattern(fetchmail_t, fetchmail_log_t, fetchmail_log_t)
> logging_log_filetrans(fetchmail_t, fetchmail_log_t, { dir file })
>
> +allow fetchmail_t fetchmail_uidl_cache_t:dir manage_dir_perms;
> allow fetchmail_t fetchmail_uidl_cache_t:file manage_file_perms;
> mta_spool_filetrans(fetchmail_t, fetchmail_uidl_cache_t, file)
>
> Index: refpolicy-2.20170220/policy/modules/contrib/mysql.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/mysql.te
> +++ refpolicy-2.20170220/policy/modules/contrib/mysql.te
> @@ -70,7 +70,7 @@ dontaudit mysqld_t self:capability sys_t
> allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> allow mysqld_t self:shm create_shm_perms;
> -allow mysqld_t self:unix_stream_socket { accept listen };
> +allow mysqld_t self:unix_stream_socket { connectto accept listen };
> allow mysqld_t self:tcp_socket { accept listen };
>
> manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> @@ -101,6 +101,7 @@ files_pid_filetrans(mysqld_t, mysqld_var
> kernel_read_kernel_sysctls(mysqld_t)
> kernel_read_network_state(mysqld_t)
> kernel_read_system_state(mysqld_t)
> +kernel_read_vm_sysctls(mysqld_t)
>
> corenet_all_recvfrom_unlabeled(mysqld_t)
> corenet_all_recvfrom_netlabel(mysqld_t)
> @@ -165,7 +166,7 @@ allow mysqld_safe_t self:capability { ch
> allow mysqld_safe_t self:process { setsched getsched setrlimit };
> allow mysqld_safe_t self:fifo_file rw_fifo_file_perms;
>
> -allow mysqld_safe_t mysqld_t:process signull;
> +allow mysqld_safe_t mysqld_t:process { signull sigkill };
>
> read_lnk_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
> manage_files_pattern(mysqld_safe_t, mysqld_db_t, mysqld_db_t)
> @@ -190,7 +191,7 @@ kernel_read_kernel_sysctls(mysqld_safe_t
> corecmd_exec_bin(mysqld_safe_t)
> corecmd_exec_shell(mysqld_safe_t)
>
> -dev_list_sysfs(mysqld_safe_t)
> +dev_read_sysfs(mysqld_safe_t)
>
> domain_read_all_domains_state(mysqld_safe_t)
>
> Index: refpolicy-2.20170220/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20170220.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20170220/policy/modules/contrib/tor.te
> @@ -41,7 +41,7 @@ init_daemon_pid_file(tor_var_run_t, dir,
> # Local policy
> #
>
> -allow tor_t self:capability { setgid setuid sys_tty_config };
> +allow tor_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid sys_tty_config };
> allow tor_t self:process signal;
> allow tor_t self:fifo_file rw_fifo_file_perms;
> allow tor_t self:unix_stream_socket { accept listen };
> @@ -62,6 +62,7 @@ create_files_pattern(tor_t, tor_var_log_
> setattr_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
> manage_sock_files_pattern(tor_t, tor_var_log_t, tor_var_log_t)
> logging_log_filetrans(tor_t, tor_var_log_t, { sock_file file dir })
> +fs_search_tmpfs(tor_t)
Merged, though I moved the above line.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2017-02-20 15:27 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-02-20 5:47 [refpolicy] [PATCH] tiny patches for fetchmail, mysql, and tor Russell Coker
2017-02-20 15:27 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.