* [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability
@ 2017-11-15 7:10 Luis Ressel
2017-11-15 7:10 ` [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories Luis Ressel
2017-11-18 10:55 ` [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Chris PeBenito
0 siblings, 2 replies; 7+ messages in thread
From: Luis Ressel @ 2017-11-15 7:10 UTC (permalink / raw)
To: refpolicy
It already has dac_override, and depending on the pam modules being
used, this may actually be neccessary. Due to the 4.13 changes, I'm now
getting dac_read_search denials.
---
policy/modules/system/locallogin.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 92679ce36..ff8df49df 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -32,7 +32,7 @@ role system_r types sulogin_t;
# Local login local policy
#
-allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
+allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
allow local_login_t self:process { setexec setrlimit setsched };
allow local_login_t self:fd use;
--
2.15.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories
2017-11-15 7:10 [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Luis Ressel
@ 2017-11-15 7:10 ` Luis Ressel
2017-11-15 9:40 ` Russell Coker
2017-11-18 10:55 ` [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Chris PeBenito
1 sibling, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2017-11-15 7:10 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/locallogin.te | 3 +++
1 file changed, 3 insertions(+)
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index ff8df49df..8a0660320 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -183,6 +183,9 @@ optional_policy(`
optional_policy(`
# Search for mail spool file.
mta_getattr_spool(local_login_t)
+
+ # List contents of ~/Maildir
+ mta_list_mail_home_rw(local_login_t)
')
optional_policy(`
--
2.15.0
^ permalink raw reply related [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories
2017-11-15 7:10 ` [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories Luis Ressel
@ 2017-11-15 9:40 ` Russell Coker
2017-11-15 19:58 ` Luis Ressel
0 siblings, 1 reply; 7+ messages in thread
From: Russell Coker @ 2017-11-15 9:40 UTC (permalink / raw)
To: refpolicy
Why is that needed? Is there some pam module or something that is displaying
mail status?
On Wednesday, 15 November 2017 8:10:15 AM AEDT Luis Ressel via refpolicy
wrote:
> ---
> policy/modules/system/locallogin.te | 3 +++
> 1 file changed, 3 insertions(+)
>
> diff --git a/policy/modules/system/locallogin.te
> b/policy/modules/system/locallogin.te index ff8df49df..8a0660320 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -183,6 +183,9 @@ optional_policy(`
> optional_policy(`
> # Search for mail spool file.
> mta_getattr_spool(local_login_t)
> +
> + # List contents of ~/Maildir
> + mta_list_mail_home_rw(local_login_t)
> ')
>
> optional_policy(`
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories
2017-11-15 9:40 ` Russell Coker
@ 2017-11-15 19:58 ` Luis Ressel
2017-11-15 20:00 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Luis Ressel @ 2017-11-15 19:58 UTC (permalink / raw)
To: refpolicy
On Wed, 15 Nov 2017 20:40:54 +1100
Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
> Why is that needed? Is there some pam module or something that is
> displaying mail status?
Yes, indeed. Sorry, I'd been meaning to supply a more detailed
description, but apparently I forgot.
My usecase is to let login display mail status via the pam_mail module.
Since my MDA delivers directly to ~/Maildir, this requires the
permission I submitted.
Regards,
Luis Ressel
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories
2017-11-15 19:58 ` Luis Ressel
@ 2017-11-15 20:00 ` Dominick Grift
2017-11-15 20:25 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2017-11-15 20:00 UTC (permalink / raw)
To: refpolicy
On Wed, Nov 15, 2017 at 08:58:57PM +0100, Luis Ressel via refpolicy wrote:
> On Wed, 15 Nov 2017 20:40:54 +1100
> Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
>
> > Why is that needed? Is there some pam module or something that is
> > displaying mail status?
>
> Yes, indeed. Sorry, I'd been meaning to supply a more detailed
> description, but apparently I forgot.
>
> My usecase is to let login display mail status via the pam_mail module.
> Since my MDA delivers directly to ~/Maildir, this requires the
> permission I submitted.
I would probably then consider adding this to authconfig. probably associate these rules with pam clients.
>
> Regards,
> Luis Ressel
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171115/dbbe6c6c/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories
2017-11-15 20:00 ` Dominick Grift
@ 2017-11-15 20:25 ` Dominick Grift
0 siblings, 0 replies; 7+ messages in thread
From: Dominick Grift @ 2017-11-15 20:25 UTC (permalink / raw)
To: refpolicy
On Wed, Nov 15, 2017 at 09:00:45PM +0100, Dominick Grift wrote:
> On Wed, Nov 15, 2017 at 08:58:57PM +0100, Luis Ressel via refpolicy wrote:
> > On Wed, 15 Nov 2017 20:40:54 +1100
> > Russell Coker via refpolicy <refpolicy@oss.tresys.com> wrote:
> >
> > > Why is that needed? Is there some pam module or something that is
> > > displaying mail status?
> >
> > Yes, indeed. Sorry, I'd been meaning to supply a more detailed
> > description, but apparently I forgot.
> >
> > My usecase is to let login display mail status via the pam_mail module.
> > Since my MDA delivers directly to ~/Maildir, this requires the
> > permission I submitted.
>
> I would probably then consider adding this to authconfig. probably associate these rules with pam clients.
I meant to type "authlogin"
>
> >
> > Regards,
> > Luis Ressel
> > _______________________________________________
> > refpolicy mailing list
> > refpolicy at oss.tresys.com
> > http://oss.tresys.com/mailman/listinfo/refpolicy
>
> --
> Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
> https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
> Dominick Grift
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20171115/56e71a1f/attachment.bin
^ permalink raw reply [flat|nested] 7+ messages in thread
* [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability
2017-11-15 7:10 [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Luis Ressel
2017-11-15 7:10 ` [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories Luis Ressel
@ 2017-11-18 10:55 ` Chris PeBenito
1 sibling, 0 replies; 7+ messages in thread
From: Chris PeBenito @ 2017-11-18 10:55 UTC (permalink / raw)
To: refpolicy
On 11/15/2017 02:10 AM, Luis Ressel via refpolicy wrote:
> It already has dac_override, and depending on the pam modules being
> used, this may actually be neccessary. Due to the 4.13 changes, I'm now
> getting dac_read_search denials.
> ---
> policy/modules/system/locallogin.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 92679ce36..ff8df49df 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -32,7 +32,7 @@ role system_r types sulogin_t;
> # Local login local policy
> #
>
> -allow local_login_t self:capability { chown dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> +allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> dontaudit local_login_t self:capability net_admin;
> allow local_login_t self:process { setexec setrlimit setsched };
> allow local_login_t self:fd use;
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2017-11-18 10:55 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-15 7:10 [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Luis Ressel
2017-11-15 7:10 ` [refpolicy] [PATCH 2/2] locallogin: Allow local_login_t to list Maildirs in home directories Luis Ressel
2017-11-15 9:40 ` Russell Coker
2017-11-15 19:58 ` Luis Ressel
2017-11-15 20:00 ` Dominick Grift
2017-11-15 20:25 ` Dominick Grift
2017-11-18 10:55 ` [refpolicy] [PATCH 1/2] locallogin: Grant local_login_t the dac_read_search capability Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.