[refpolicy] [PATCH] misc daemons

[refpolicy] [PATCH] misc daemons

[Russell Coker]

Put in libx32 subs entries that refer to directories with fc entries.

Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
dpkg-reconfigure.

Some dontaudit rules for mta processes spawned by mon for notification.

Lots of tiny changes that are obvious.

Index: refpolicy-2.20170417/config/file_contexts.subs_dist
===================================================================
--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
+++ refpolicy-2.20170417/config/file_contexts.subs_dist
@@ -12,13 +12,14 @@
 /lib /usr/lib
 /lib32 /usr/lib
 /lib64 /usr/lib
-/libx32 /usr/libx32
+/libx32 /usr/lib
 /sbin /usr/sbin
 /etc/init.d /etc/rc.d/init.d
 /lib/systemd /usr/lib/systemd
 /run/lock /var/lock
 /usr/lib32 /usr/lib
 /usr/lib64 /usr/lib
+/usr/libx32 /usr/lib
 /usr/local/lib32 /usr/lib
 /usr/local/lib64 /usr/lib
 /usr/local/lib /usr/lib
Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
 kernel_change_ring_buffer_level(dmesg_t)
 kernel_list_proc(dmesg_t)
 kernel_read_proc_symlinks(dmesg_t)
+dev_read_kmsg(dmesg_t)
+
 # for when /usr is not mounted:
 kernel_dontaudit_search_unlabeled(dmesg_t)
 
Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20170417/policy/modules/admin/netutils.te
@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
 files_dontaudit_search_var(ping_t)
 
 kernel_read_system_state(ping_t)
+dev_read_urand(ping_t)
 
 auth_use_nsswitch(ping_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
 
 allow alsa_t alsa_home_t:file read_file_perms;
 
+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
 list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
 read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
+++ refpolicy-2.20170417/policy/modules/contrib/backup.te
@@ -21,7 +21,7 @@ files_type(backup_store_t)
 # Local policy
 #
 
-allow backup_t self:capability dac_override;
+allow backup_t self:capability { chown dac_override fsetid };
 allow backup_t self:process signal;
 allow backup_t self:fifo_file rw_fifo_file_perms;
 allow backup_t self:tcp_socket create_socket_perms;
Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
 
 kernel_read_kernel_sysctls(bitlbee_t)
 kernel_read_system_state(bitlbee_t)
+kernel_read_crypto_sysctls(bitlbee_t)
 
 corenet_all_recvfrom_unlabeled(bitlbee_t)
 corenet_all_recvfrom_netlabel(bitlbee_t)
Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
 allow dpkg_t self:msg { send receive };
 
 allow dpkg_t dpkg_lock_t:file manage_file_perms;
+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
+corecmd_bin_entry_type(dpkg_script_t)
 
 spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
 
@@ -307,6 +309,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	devicekit_dbus_chat_power(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
 fs_getattr_all_fs(fetchmail_t)
Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
 
 kernel_read_ring_buffer(kerneloops_t)
 kernel_read_system_state(kerneloops_t)
+dev_read_urand(kerneloops_t)
 
 domain_use_interactive_fds(kerneloops_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
 locallogin_use_fds(loadkeys_t)
 
 miscfiles_read_localization(loadkeys_t)
+init_read_script_tmp_files(loadkeys_t)
 
 userdom_use_user_ttys(loadkeys_t)
 userdom_list_user_home_content(loadkeys_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
+++ refpolicy-2.20170417/policy/modules/contrib/mon.if
@@ -1 +1,37 @@
 ## <summary>mon network monitoring daemon.</summary>
+
+######################################
+## <summary>
+##      dontaudit searching /var/lib/mon
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`mon_dontaudit_search_var_lib',`
+	gen_require(`
+		type mon_var_lib_t;
+	')
+
+	dontaudit $1 mon_var_lib_t:dir search;
+')
+
+######################################
+## <summary>
+##      dontaudit using an inherited fd from mon_t
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain to not audit
+##      </summary>
+## </param>
+#
+interface(`mon_dontaudit_fd_use',`
+	gen_require(`
+		type mon_t;
+	')
+
+	dontaudit $1 mon_t:fd use;
+')
Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
+++ refpolicy-2.20170417/policy/modules/contrib/mon.te
@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
 files_read_etc_files(mon_t)
 files_read_etc_runtime_files(mon_t)
 files_read_usr_files(mon_t)
+files_search_var_lib(mon_t)
 
 fs_getattr_all_fs(mon_t)
 fs_search_auto_mountpoints(mon_t)
Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170417/policy/modules/contrib/mta.te
@@ -324,6 +324,10 @@ optional_policy(`
 	')
 ')
 
+optional_policy(`
+	mon_dontaudit_fd_use(mta_user_agent)
+')
+
 ########################################
 #
 # Mailserver delivery local policy
@@ -379,6 +383,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mon_dontaudit_search_var_lib(mailserver_delivery)
+')
+
+optional_policy(`
 	postfix_rw_inherited_master_pipes(mailserver_delivery)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
+++ refpolicy-2.20170417/policy/modules/contrib/munin.te
@@ -386,6 +386,7 @@ optional_policy(`
 #
 
 allow system_munin_plugin_t self:udp_socket create_socket_perms;
+allow system_munin_plugin_t self:capability net_admin;
 
 rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
 
@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
 
 dev_read_sysfs(system_munin_plugin_t)
 dev_read_urand(system_munin_plugin_t)
+files_read_usr_files(system_munin_plugin_t)
 
 domain_read_all_domains_state(system_munin_plugin_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
@@ -78,7 +78,7 @@ interface(`mysql_signal',`
 		type mysqld_t;
 	')
 
-	allow $1 mysqld_t:process signal;
+	allow $1 mysqld_t:process { signal signull };
 ')
 
 ########################################
Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
 read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
 
-allow ntpd_t ntpd_lock_t:file write_file_perms;
+allow ntpd_t ntpd_lock_t:file rw_file_perms;
 
 allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
 append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
 	files_list_non_auth_dirs(rsync_t)
 	files_read_non_auth_files(rsync_t)
 	files_read_non_auth_symlinks(rsync_t)
+	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
+	getattr_sock_files_pattern(rsync_t, file_type, file_type)
 	auth_tunable_read_shadow(rsync_t)
 ')
 
Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
 
 miscfiles_read_localization(rtkit_daemon_t)
 
+selinux_getattr_fs(rtkit_daemon_t)
+seutil_search_default_contexts(rtkit_daemon_t)
+
 optional_policy(`
 	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
 
Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
 files_read_etc_files(fsdaemon_t)
 files_read_etc_runtime_files(fsdaemon_t)
 files_read_usr_files(fsdaemon_t)
+files_search_var_lib(fsdaemon_t)
 
 fs_getattr_all_fs(fsdaemon_t)
 fs_search_auto_mountpoints(fsdaemon_t)
Index: refpolicy-2.20170417/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170417/policy/modules/system/fstools.te
@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
 allow fsadm_t fsadm_run_t:file manage_file_perms;
 files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
 
+# for /run/mount/utab
+stat_mount_var_run(fsadm_t)
+
 # log files
 allow fsadm_t fsadm_log_t:dir setattr;
 manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
@@ -208,6 +211,10 @@ optional_policy(`
 
 optional_policy(`
 	udev_read_db(fsadm_t)
+
+	# Xen causes losetup to run with a presumably accidentally inherited
+	# file handle for /run/xen-hotplug/block
+	dontaudit_udev_pidfile_rw(fsadm_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20170417/policy/modules/system/udev.if
===================================================================
--- refpolicy-2.20170417.orig/policy/modules/system/udev.if
+++ refpolicy-2.20170417/policy/modules/system/udev.if
@@ -301,6 +301,24 @@ interface(`udev_list_pids',`
 
 ########################################
 ## <summary>
+##	dontaudit attempts to read/write udev pidfiles
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dontaudit_udev_pidfile_rw',`
+	gen_require(`
+		type udev_var_run_t;
+	')
+
+	dontaudit $1 udev_var_run_t:file { read write };
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	udev pid directories
 ## </summary>

[refpolicy] [PATCH] misc daemons

[Guido Trentalancia]

Hi,

I think there is one more kernel interface call to skip before inserting the dev_read_kmsg(dmesg_t) call.

Regards, 

Guido 

On the 17th of April 2017 15:46:33 CEST, Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>Put in libx32 subs entries that refer to directories with fc entries.
>
>Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
>dpkg-reconfigure.
>
>Some dontaudit rules for mta processes spawned by mon for notification.
>
>Lots of tiny changes that are obvious.
>
>Index: refpolicy-2.20170417/config/file_contexts.subs_dist
>===================================================================
>--- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
>+++ refpolicy-2.20170417/config/file_contexts.subs_dist
>@@ -12,13 +12,14 @@
> /lib /usr/lib
> /lib32 /usr/lib
> /lib64 /usr/lib
>-/libx32 /usr/libx32
>+/libx32 /usr/lib
> /sbin /usr/sbin
> /etc/init.d /etc/rc.d/init.d
> /lib/systemd /usr/lib/systemd
> /run/lock /var/lock
> /usr/lib32 /usr/lib
> /usr/lib64 /usr/lib
>+/usr/libx32 /usr/lib
> /usr/local/lib32 /usr/lib
> /usr/local/lib64 /usr/lib
> /usr/local/lib /usr/lib
>Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
>+++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
>@@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
> kernel_change_ring_buffer_level(dmesg_t)
> kernel_list_proc(dmesg_t)
> kernel_read_proc_symlinks(dmesg_t)
>+dev_read_kmsg(dmesg_t)
>+
> # for when /usr is not mounted:
> kernel_dontaudit_search_unlabeled(dmesg_t)
> 
>Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
>+++ refpolicy-2.20170417/policy/modules/admin/netutils.te
>@@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
> files_dontaudit_search_var(ping_t)
> 
> kernel_read_system_state(ping_t)
>+dev_read_urand(ping_t)
> 
> auth_use_nsswitch(ping_t)
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
>+++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
>@@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
> 
> allow alsa_t alsa_home_t:file read_file_perms;
> 
>+files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
>+manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
>+manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
>+++ refpolicy-2.20170417/policy/modules/contrib/backup.te
>@@ -21,7 +21,7 @@ files_type(backup_store_t)
> # Local policy
> #
> 
>-allow backup_t self:capability dac_override;
>+allow backup_t self:capability { chown dac_override fsetid };
> allow backup_t self:process signal;
> allow backup_t self:fifo_file rw_fifo_file_perms;
> allow backup_t self:tcp_socket create_socket_perms;
>Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
>+++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
>@@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
> 
> kernel_read_kernel_sysctls(bitlbee_t)
> kernel_read_system_state(bitlbee_t)
>+kernel_read_crypto_sysctls(bitlbee_t)
> 
> corenet_all_recvfrom_unlabeled(bitlbee_t)
> corenet_all_recvfrom_netlabel(bitlbee_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
>+++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
>@@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
> allow dpkg_t self:msg { send receive };
> 
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>+corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
>+corecmd_bin_entry_type(dpkg_script_t)
> 
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> 
>@@ -307,6 +309,10 @@ optional_policy(`
> ')
> 
> optional_policy(`
>+	devicekit_dbus_chat_power(dpkg_script_t)
>+')
>+
>+optional_policy(`
> 	modutils_run(dpkg_script_t, dpkg_roles)
> ')
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
>+++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
>@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
> 
> files_read_etc_runtime_files(fetchmail_t)
>+files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
> 
> fs_getattr_all_fs(fetchmail_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
>+++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
>@@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
> 
> kernel_read_ring_buffer(kerneloops_t)
> kernel_read_system_state(kerneloops_t)
>+dev_read_urand(kerneloops_t)
> 
> domain_use_interactive_fds(kerneloops_t)
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
>+++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
>@@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
> locallogin_use_fds(loadkeys_t)
> 
> miscfiles_read_localization(loadkeys_t)
>+init_read_script_tmp_files(loadkeys_t)
> 
> userdom_use_user_ttys(loadkeys_t)
> userdom_list_user_home_content(loadkeys_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
>+++ refpolicy-2.20170417/policy/modules/contrib/mon.if
>@@ -1 +1,37 @@
> ## <summary>mon network monitoring daemon.</summary>
>+
>+######################################
>+## <summary>
>+##      dontaudit searching /var/lib/mon
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain to not audit
>+##      </summary>
>+## </param>
>+#
>+interface(`mon_dontaudit_search_var_lib',`
>+	gen_require(`
>+		type mon_var_lib_t;
>+	')
>+
>+	dontaudit $1 mon_var_lib_t:dir search;
>+')
>+
>+######################################
>+## <summary>
>+##      dontaudit using an inherited fd from mon_t
>+## </summary>
>+## <param name="domain">
>+##      <summary>
>+##      Domain to not audit
>+##      </summary>
>+## </param>
>+#
>+interface(`mon_dontaudit_fd_use',`
>+	gen_require(`
>+		type mon_t;
>+	')
>+
>+	dontaudit $1 mon_t:fd use;
>+')
>Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
>+++ refpolicy-2.20170417/policy/modules/contrib/mon.te
>@@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
> files_read_etc_files(mon_t)
> files_read_etc_runtime_files(mon_t)
> files_read_usr_files(mon_t)
>+files_search_var_lib(mon_t)
> 
> fs_getattr_all_fs(mon_t)
> fs_search_auto_mountpoints(mon_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
>+++ refpolicy-2.20170417/policy/modules/contrib/mta.te
>@@ -324,6 +324,10 @@ optional_policy(`
> 	')
> ')
> 
>+optional_policy(`
>+	mon_dontaudit_fd_use(mta_user_agent)
>+')
>+
> ########################################
> #
> # Mailserver delivery local policy
>@@ -379,6 +383,10 @@ optional_policy(`
> ')
> 
> optional_policy(`
>+	mon_dontaudit_search_var_lib(mailserver_delivery)
>+')
>+
>+optional_policy(`
> 	postfix_rw_inherited_master_pipes(mailserver_delivery)
> ')
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
>+++ refpolicy-2.20170417/policy/modules/contrib/munin.te
>@@ -386,6 +386,7 @@ optional_policy(`
> #
> 
> allow system_munin_plugin_t self:udp_socket create_socket_perms;
>+allow system_munin_plugin_t self:capability net_admin;
> 
>rw_files_pattern(system_munin_plugin_t, munin_var_lib_t,
>munin_var_lib_t)
> 
>@@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
> 
> dev_read_sysfs(system_munin_plugin_t)
> dev_read_urand(system_munin_plugin_t)
>+files_read_usr_files(system_munin_plugin_t)
> 
> domain_read_all_domains_state(system_munin_plugin_t)
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
>+++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
>@@ -78,7 +78,7 @@ interface(`mysql_signal',`
> 		type mysqld_t;
> 	')
> 
>-	allow $1 mysqld_t:process signal;
>+	allow $1 mysqld_t:process { signal signull };
> ')
> 
> ########################################
>Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
>+++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
>@@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
> read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
> read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
> 
>-allow ntpd_t ntpd_lock_t:file write_file_perms;
>+allow ntpd_t ntpd_lock_t:file rw_file_perms;
> 
> allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
> append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
>Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
>+++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
>@@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> 	files_list_non_auth_dirs(rsync_t)
> 	files_read_non_auth_files(rsync_t)
> 	files_read_non_auth_symlinks(rsync_t)
>+	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
>+	getattr_sock_files_pattern(rsync_t, file_type, file_type)
> 	auth_tunable_read_shadow(rsync_t)
> ')
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
>+++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
>@@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
> 
> miscfiles_read_localization(rtkit_daemon_t)
> 
>+selinux_getattr_fs(rtkit_daemon_t)
>+seutil_search_default_contexts(rtkit_daemon_t)
>+
> optional_policy(`
> 	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
> 
>Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
>+++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
>@@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
> files_read_etc_files(fsdaemon_t)
> files_read_etc_runtime_files(fsdaemon_t)
> files_read_usr_files(fsdaemon_t)
>+files_search_var_lib(fsdaemon_t)
> 
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
>Index: refpolicy-2.20170417/policy/modules/system/fstools.te
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
>+++ refpolicy-2.20170417/policy/modules/system/fstools.te
>@@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> allow fsadm_t fsadm_run_t:file manage_file_perms;
> files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
> 
>+# for /run/mount/utab
>+stat_mount_var_run(fsadm_t)
>+
> # log files
> allow fsadm_t fsadm_log_t:dir setattr;
> manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
>@@ -208,6 +211,10 @@ optional_policy(`
> 
> optional_policy(`
> 	udev_read_db(fsadm_t)
>+
>+	# Xen causes losetup to run with a presumably accidentally inherited
>+	# file handle for /run/xen-hotplug/block
>+	dontaudit_udev_pidfile_rw(fsadm_t)
> ')
> 
> optional_policy(`
>Index: refpolicy-2.20170417/policy/modules/system/udev.if
>===================================================================
>--- refpolicy-2.20170417.orig/policy/modules/system/udev.if
>+++ refpolicy-2.20170417/policy/modules/system/udev.if
>@@ -301,6 +301,24 @@ interface(`udev_list_pids',`
> 
> ########################################
> ## <summary>
>+##	dontaudit attempts to read/write udev pidfiles
>+## </summary>
>+## <param name="domain">
>+##	<summary>
>+##	Domain allowed access.
>+##	</summary>
>+## </param>
>+#
>+interface(`dontaudit_udev_pidfile_rw',`
>+	gen_require(`
>+		type udev_var_run_t;
>+	')
>+
>+	dontaudit $1 udev_var_run_t:file { read write };
>+')
>+
>+########################################
>+## <summary>
> ##	Create, read, write, and delete
> ##	udev pid directories
> ## </summary>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

[refpolicy] [PATCH] misc daemons

[Chris PeBenito]

On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:
> Put in libx32 subs entries that refer to directories with fc entries.
>
> Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
> dpkg-reconfigure.
>
> Some dontaudit rules for mta processes spawned by mon for notification.
>
> Lots of tiny changes that are obvious.

Merged with some line moving and a few notes (following)


> Index: refpolicy-2.20170417/config/file_contexts.subs_dist
> ===================================================================
> --- refpolicy-2.20170417.orig/config/file_contexts.subs_dist
> +++ refpolicy-2.20170417/config/file_contexts.subs_dist
> @@ -12,13 +12,14 @@
>  /lib /usr/lib
>  /lib32 /usr/lib
>  /lib64 /usr/lib
> -/libx32 /usr/libx32
> +/libx32 /usr/lib
>  /sbin /usr/sbin
>  /etc/init.d /etc/rc.d/init.d
>  /lib/systemd /usr/lib/systemd
>  /run/lock /var/lock
>  /usr/lib32 /usr/lib
>  /usr/lib64 /usr/lib
> +/usr/libx32 /usr/lib
>  /usr/local/lib32 /usr/lib
>  /usr/local/lib64 /usr/lib
>  /usr/local/lib /usr/lib
> Index: refpolicy-2.20170417/policy/modules/admin/dmesg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/dmesg.te
> +++ refpolicy-2.20170417/policy/modules/admin/dmesg.te
> @@ -25,6 +25,8 @@ kernel_clear_ring_buffer(dmesg_t)
>  kernel_change_ring_buffer_level(dmesg_t)
>  kernel_list_proc(dmesg_t)
>  kernel_read_proc_symlinks(dmesg_t)
> +dev_read_kmsg(dmesg_t)
> +
>  # for when /usr is not mounted:
>  kernel_dontaudit_search_unlabeled(dmesg_t)
>
> Index: refpolicy-2.20170417/policy/modules/admin/netutils.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/admin/netutils.te
> +++ refpolicy-2.20170417/policy/modules/admin/netutils.te
> @@ -133,6 +133,7 @@ files_read_etc_files(ping_t)
>  files_dontaudit_search_var(ping_t)
>
>  kernel_read_system_state(ping_t)
> +dev_read_urand(ping_t)
>
>  auth_use_nsswitch(ping_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/alsa.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
> +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
> @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
>
>  allow alsa_t alsa_home_t:file read_file_perms;
>
> +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
> +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)

This doesn't seem to fit since /var/lock/asound\.state\.lock is the only 
lockfile.  How is the locking changing?

>  list_dirs_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>  read_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
>  read_lnk_files_pattern(alsa_t, alsa_etc_t, alsa_etc_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/backup.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/backup.te
> +++ refpolicy-2.20170417/policy/modules/contrib/backup.te
> @@ -21,7 +21,7 @@ files_type(backup_store_t)
>  # Local policy
>  #
>
> -allow backup_t self:capability dac_override;
> +allow backup_t self:capability { chown dac_override fsetid };
>  allow backup_t self:process signal;
>  allow backup_t self:fifo_file rw_fifo_file_perms;
>  allow backup_t self:tcp_socket create_socket_perms;
> Index: refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/bitlbee.te
> +++ refpolicy-2.20170417/policy/modules/contrib/bitlbee.te
> @@ -61,6 +61,7 @@ files_pid_filetrans(bitlbee_t, bitlbee_v
>
>  kernel_read_kernel_sysctls(bitlbee_t)
>  kernel_read_system_state(bitlbee_t)
> +kernel_read_crypto_sysctls(bitlbee_t)
>
>  corenet_all_recvfrom_unlabeled(bitlbee_t)
>  corenet_all_recvfrom_netlabel(bitlbee_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170417/policy/modules/contrib/dpkg.te
> @@ -66,6 +66,8 @@ allow dpkg_t self:msgq create_msgq_perms
>  allow dpkg_t self:msg { send receive };
>
>  allow dpkg_t dpkg_lock_t:file manage_file_perms;
> +corecmd_bin_domtrans(dpkg_t, dpkg_script_t)
> +corecmd_bin_entry_type(dpkg_script_t)
>
>  spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>
> @@ -307,6 +309,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	devicekit_dbus_chat_power(dpkg_script_t)
> +')
> +
> +optional_policy(`
>  	modutils_run(dpkg_script_t, dpkg_roles)
>  ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/fetchmail.te
> +++ refpolicy-2.20170417/policy/modules/contrib/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
>  dev_read_urand(fetchmail_t)
>
>  files_read_etc_runtime_files(fetchmail_t)
> +files_search_tmp(fetchmail_t)
>  files_dontaudit_search_home(fetchmail_t)
>
>  fs_getattr_all_fs(fetchmail_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/kerneloops.te
> +++ refpolicy-2.20170417/policy/modules/contrib/kerneloops.te
> @@ -29,6 +29,7 @@ files_tmp_filetrans(kerneloops_t, kernel
>
>  kernel_read_ring_buffer(kerneloops_t)
>  kernel_read_system_state(kerneloops_t)
> +dev_read_urand(kerneloops_t)
>
>  domain_use_interactive_fds(kerneloops_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/loadkeys.te
> +++ refpolicy-2.20170417/policy/modules/contrib/loadkeys.te
> @@ -40,6 +40,7 @@ term_use_unallocated_ttys(loadkeys_t)
>  locallogin_use_fds(loadkeys_t)
>
>  miscfiles_read_localization(loadkeys_t)
> +init_read_script_tmp_files(loadkeys_t)
>
>  userdom_use_user_ttys(loadkeys_t)
>  userdom_list_user_home_content(loadkeys_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.if
> @@ -1 +1,37 @@
>  ## <summary>mon network monitoring daemon.</summary>
> +
> +######################################
> +## <summary>
> +##      dontaudit searching /var/lib/mon
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to not audit
> +##      </summary>
> +## </param>
> +#
> +interface(`mon_dontaudit_search_var_lib',`
> +	gen_require(`
> +		type mon_var_lib_t;
> +	')
> +
> +	dontaudit $1 mon_var_lib_t:dir search;
> +')
> +
> +######################################
> +## <summary>
> +##      dontaudit using an inherited fd from mon_t
> +## </summary>
> +## <param name="domain">
> +##      <summary>
> +##      Domain to not audit
> +##      </summary>
> +## </param>
> +#
> +interface(`mon_dontaudit_fd_use',`
> +	gen_require(`
> +		type mon_t;
> +	')
> +
> +	dontaudit $1 mon_t:fd use;
> +')
> Index: refpolicy-2.20170417/policy/modules/contrib/mon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mon.te
> @@ -80,6 +80,7 @@ domain_use_interactive_fds(mon_t)
>  files_read_etc_files(mon_t)
>  files_read_etc_runtime_files(mon_t)
>  files_read_usr_files(mon_t)
> +files_search_var_lib(mon_t)
>
>  fs_getattr_all_fs(mon_t)
>  fs_search_auto_mountpoints(mon_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/mta.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mta.te
> +++ refpolicy-2.20170417/policy/modules/contrib/mta.te
> @@ -324,6 +324,10 @@ optional_policy(`
>  	')
>  ')
>
> +optional_policy(`
> +	mon_dontaudit_fd_use(mta_user_agent)
> +')
> +
>  ########################################
>  #
>  # Mailserver delivery local policy
> @@ -379,6 +383,10 @@ optional_policy(`
>  ')
>
>  optional_policy(`
> +	mon_dontaudit_search_var_lib(mailserver_delivery)
> +')
> +
> +optional_policy(`
>  	postfix_rw_inherited_master_pipes(mailserver_delivery)
>  ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/munin.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/munin.te
> +++ refpolicy-2.20170417/policy/modules/contrib/munin.te
> @@ -386,6 +386,7 @@ optional_policy(`
>  #
>
>  allow system_munin_plugin_t self:udp_socket create_socket_perms;
> +allow system_munin_plugin_t self:capability net_admin;
>
>  rw_files_pattern(system_munin_plugin_t, munin_var_lib_t, munin_var_lib_t)
>
> @@ -396,6 +397,7 @@ kernel_read_all_sysctls(system_munin_plu
>
>  dev_read_sysfs(system_munin_plugin_t)
>  dev_read_urand(system_munin_plugin_t)
> +files_read_usr_files(system_munin_plugin_t)
>
>  domain_read_all_domains_state(system_munin_plugin_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/mysql.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
> +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
> @@ -78,7 +78,7 @@ interface(`mysql_signal',`
>  		type mysqld_t;
>  	')
>
> -	allow $1 mysqld_t:process signal;
> +	allow $1 mysqld_t:process { signal signull };

I'd prefer a separate interface.  Dropped since I can't determine which 
domain(s) would call the new interface.

>  ')
>
>  ########################################
> Index: refpolicy-2.20170417/policy/modules/contrib/ntp.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/ntp.te
> +++ refpolicy-2.20170417/policy/modules/contrib/ntp.te
> @@ -70,7 +70,7 @@ files_var_filetrans(ntpd_t, ntp_drift_t,
>  read_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
>  read_lnk_files_pattern(ntpd_t, ntpd_key_t, ntpd_key_t)
>
> -allow ntpd_t ntpd_lock_t:file write_file_perms;
> +allow ntpd_t ntpd_lock_t:file rw_file_perms;
>
>  allow ntpd_t ntpd_log_t:dir setattr_dir_perms;
>  append_files_pattern(ntpd_t, ntpd_log_t, ntpd_log_t)
> Index: refpolicy-2.20170417/policy/modules/contrib/rsync.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
> @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
>  	files_list_non_auth_dirs(rsync_t)
>  	files_read_non_auth_files(rsync_t)
>  	files_read_non_auth_symlinks(rsync_t)
> +	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
> +	getattr_sock_files_pattern(rsync_t, file_type, file_type)

Dropped due to encapsulation problem (needs to use interfaces)

>  	auth_tunable_read_shadow(rsync_t)
>  ')
>
> Index: refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/rtkit.te
> +++ refpolicy-2.20170417/policy/modules/contrib/rtkit.te
> @@ -36,6 +36,9 @@ logging_send_syslog_msg(rtkit_daemon_t)
>
>  miscfiles_read_localization(rtkit_daemon_t)
>
> +selinux_getattr_fs(rtkit_daemon_t)
> +seutil_search_default_contexts(rtkit_daemon_t)
> +
>  optional_policy(`
>  	dbus_system_domain(rtkit_daemon_t, rtkit_daemon_exec_t)
>
> Index: refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/contrib/smartmon.te
> +++ refpolicy-2.20170417/policy/modules/contrib/smartmon.te
> @@ -69,6 +69,7 @@ files_exec_etc_files(fsdaemon_t)
>  files_read_etc_files(fsdaemon_t)
>  files_read_etc_runtime_files(fsdaemon_t)
>  files_read_usr_files(fsdaemon_t)
> +files_search_var_lib(fsdaemon_t)
>
>  fs_getattr_all_fs(fsdaemon_t)
>  fs_search_auto_mountpoints(fsdaemon_t)
> Index: refpolicy-2.20170417/policy/modules/system/fstools.te
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
> +++ refpolicy-2.20170417/policy/modules/system/fstools.te
> @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
>  allow fsadm_t fsadm_run_t:file manage_file_perms;
>  files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>
> +# for /run/mount/utab
> +stat_mount_var_run(fsadm_t)

Doesn't exist (and incorrect interface name)


>  # log files
>  allow fsadm_t fsadm_log_t:dir setattr;
>  manage_files_pattern(fsadm_t, fsadm_log_t, fsadm_log_t)
> @@ -208,6 +211,10 @@ optional_policy(`
>
>  optional_policy(`
>  	udev_read_db(fsadm_t)
> +
> +	# Xen causes losetup to run with a presumably accidentally inherited
> +	# file handle for /run/xen-hotplug/block
> +	dontaudit_udev_pidfile_rw(fsadm_t)
>  ')
>
>  optional_policy(`
> Index: refpolicy-2.20170417/policy/modules/system/udev.if
> ===================================================================
> --- refpolicy-2.20170417.orig/policy/modules/system/udev.if
> +++ refpolicy-2.20170417/policy/modules/system/udev.if
> @@ -301,6 +301,24 @@ interface(`udev_list_pids',`
>
>  ########################################
>  ## <summary>
> +##	dontaudit attempts to read/write udev pidfiles
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dontaudit_udev_pidfile_rw',`

Renamed

> +	gen_require(`
> +		type udev_var_run_t;
> +	')
> +
> +	dontaudit $1 udev_var_run_t:file { read write };
> +')
> +
> +########################################
> +## <summary>
>  ##	Create, read, write, and delete
>  ##	udev pid directories
>  ## </summary>



-- 
Chris PeBenito

[refpolicy] [PATCH] misc daemons

[Russell Coker]

On Wed, 19 Apr 2017 10:38:36 AM Chris PeBenito wrote:
> On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:
> > Put in libx32 subs entries that refer to directories with fc entries.
> > 
> > Allow dpkg_t to transition to dpkg_script_t when it executes bin_t for
> > dpkg-reconfigure.
> > 
> > Some dontaudit rules for mta processes spawned by mon for notification.
> > 
> > Lots of tiny changes that are obvious.
> 
> Merged with some line moving and a few notes (following)

Thanks.

> > --- refpolicy-2.20170417.orig/policy/modules/contrib/alsa.te
> > +++ refpolicy-2.20170417/policy/modules/contrib/alsa.te
> > @@ -50,6 +50,9 @@ allow alsa_t self:unix_stream_socket { a
> > 
> >  allow alsa_t alsa_home_t:file read_file_perms;
> > 
> > +files_pid_filetrans(alsa_t, alsa_var_lock_t, dir, "alsa")
> > +manage_lnk_files_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> > +manage_dirs_pattern(alsa_t, alsa_var_lock_t, alsa_var_lock_t)
> 
> This doesn't seem to fit since /var/lock/asound\.state\.lock is the only
> lockfile.  How is the locking changing?

I can't remember.  With things like this if you think it shouldn't be in there 
just drop them and I'll do further investigation.  For all I know the latest 
version of the alsa utilities might not even require such access any more.

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/contrib/mysql.if
> > +++ refpolicy-2.20170417/policy/modules/contrib/mysql.if
> > @@ -78,7 +78,7 @@ interface(`mysql_signal',`
> > 
> >  		type mysqld_t;
> >  	
> >  	')
> > 
> > -	allow $1 mysqld_t:process signal;
> > +	allow $1 mysqld_t:process { signal signull };
> 
> I'd prefer a separate interface.  Dropped since I can't determine which
> domain(s) would call the new interface.

In what situation could it be reasonable to allow signal access without 
allowing signull?  It's like permitting file read write but not getattr, sure 
you can make access finer grained, but is there any point?

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/contrib/rsync.te
> > +++ refpolicy-2.20170417/policy/modules/contrib/rsync.te
> > @@ -158,6 +158,8 @@ tunable_policy(`rsync_export_all_ro',`
> > 
> >  	files_list_non_auth_dirs(rsync_t)
> >  	files_read_non_auth_files(rsync_t)
> >  	files_read_non_auth_symlinks(rsync_t)
> > 
> > +	getattr_fifo_files_pattern(rsync_t, file_type, file_type)
> > +	getattr_sock_files_pattern(rsync_t, file_type, file_type)
> 
> Dropped due to encapsulation problem (needs to use interfaces)

OK, I'll make a new patch for this.

===================================================================
> > --- refpolicy-2.20170417.orig/policy/modules/system/fstools.te
> > +++ refpolicy-2.20170417/policy/modules/system/fstools.te
> > @@ -52,6 +52,9 @@ allow fsadm_t fsadm_run_t:dir manage_dir
> > 
> >  allow fsadm_t fsadm_run_t:file manage_file_perms;
> >  files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
> > 
> > +# for /run/mount/utab
> > +stat_mount_var_run(fsadm_t)
> 
> Doesn't exist (and incorrect interface name)

Does on Debian.  Should I put it in a ifdef distro_debian?  What would be the 
correct interface name?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] [PATCH] misc daemons

[Chris PeBenito]

On 04/19/2017 12:47 AM, Russell Coker wrote:
> On Wed, 19 Apr 2017 10:38:36 AM Chris PeBenito wrote:
>> On 04/17/2017 09:46 AM, Russell Coker via refpolicy wrote:

>>>
>>>  allow fsadm_t fsadm_run_t:file manage_file_perms;
>>>  files_pid_filetrans(fsadm_t, fsadm_run_t, dir)
>>>
>>> +# for /run/mount/utab
>>> +stat_mount_var_run(fsadm_t)
>>
>> Doesn't exist (and incorrect interface name)
>
> Does on Debian.  Should I put it in a ifdef distro_debian?  What would be the
> correct interface name?

I'm not sure what the interface does to suggest a name other than the 
name starts with the module's name (i.e. stat isn't a module). 
Regardless, I can't have a call to a nonexistent interface upstream in 
any case.

-- 
Chris PeBenito

[refpolicy] [PATCH] misc daemons

[Russell Coker]

On Fri, 21 Apr 2017 08:24:05 AM Chris PeBenito via refpolicy wrote:
> >>> +# for /run/mount/utab
> >>> +stat_mount_var_run(fsadm_t)
> >> 
> >> Doesn't exist (and incorrect interface name)
> > 
> > Does on Debian.  Should I put it in a ifdef distro_debian?  What would be
> > the correct interface name?
> 
> I'm not sure what the interface does to suggest a name other than the 
> name starts with the module's name (i.e. stat isn't a module). 
> Regardless, I can't have a call to a nonexistent interface upstream in 
> any case.

Sorry I thought you meand that the file /run/mount/utab didn't exist.

I've added that policy to a later patch with a better interface name.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/