* [refpolicy] RFC: patch to update git reference policy
@ 2011-01-19 0:40 Guido Trentalancia
2011-01-20 13:18 ` Christopher J. PeBenito
0 siblings, 1 reply; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-19 0:40 UTC (permalink / raw)
To: refpolicy
Hello,
I have created a set of two patches to update the git reference policy
to run on a generic modern Linux system.
Most changes are relative to the dbus system (send_msg capability). Some
interfaces and a few file contexts have also been added for convenience.
In particular /sbin/upstart is now labelled correctly (many
distributions nowadays link /sbin/init to /sbin/upstart to leave some
choice, so it is necessary to label the latter appropriately).
Please send your comments and feel free to test intensively. Thanks.
Regards,
Guido
diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
--- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100
@@ -1,11 +1,24 @@
/etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
/bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
+
/usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
/var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
--- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100
+++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100
@@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
# /sbin
#
/sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
+# because nowadays, /sbin/init is often a symlink to /sbin/upstart
+/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
ifdef(`distro_gentoo', `
/sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
--- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
@@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
auth_dontaudit_read_shadow(readahead_t)
+init_read_fifo_file(readahead_t)
init_use_fds(readahead_t)
init_use_script_ptys(readahead_t)
init_getattr_initctl(readahead_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
--- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
@@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
########################################
## <summary>
+## Allow mmap_file_perms on a shell
+## executable.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`corecmd_mmap_file_exec_shell',`
+ gen_require(`
+ type bin_t, shell_exec_t;
+ ')
+
+ list_dirs_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+ allow $1 shell_exec_t:file mmap_file_perms;
+')
+
+########################################
+## <summary>
## Execute shells in the caller domain.
## </summary>
## <desc>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
--- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
@@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
########################################
## <summary>
+## Set the attributes of the /bin directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_setattr_bin_dirs',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir setattr;
+')
+
+########################################
+## <summary>
+## Search the content of /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_search_bin',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Get the attributes of files in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ getattr_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read generic files in /bin.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to read generic
+## files in /bin. These files are various program
+## files that do not have more specific SELinux types.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_read_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ read_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Execute generic programs in /bin in the caller domain.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_exec_bin_files',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ allow $1 bin_t:dir list_dir_perms;
+ exec_files_pattern($1, bin_t, bin_t)
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
+## Read symbolic links in /bin.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_bin_symlinks',`
+ gen_require(`
+ type bin_t;
+ ')
+
+ read_lnk_files_pattern($1, bin_t, bin_t)
+')
+
+########################################
+## <summary>
## Set the attributes of the /usr directory.
## </summary>
## <param name="domain">
@@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
########################################
## <summary>
-## Search the content of /etc.
+## Search the content of /usr.
## </summary>
## <param name="domain">
## <summary>
@@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
')
########################################
+## <summary>
+## Get the attributes of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_getattr_var_log_dirs',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ getattr_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Search the /var/log directory.
+## </summary>
+## <desc>
+## <p>
+## Search the /var/log directory. This is
+## necessary to access files or directories under
+## /var/log that have a private type. For example, a
+## domain accessing a private log file in the
+## /var/log directory:
+## </p>
+## <p>
+## allow mydomain_t mylogfile_t:file read_file_perms;
+## files_search_var_log(mydomain_t)
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_search_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ search_dirs_pattern($1, var_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Do not audit attempts to search the
+## contents of /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+## <infoflow type="read" weight="5"/>
+#
+interface(`files_dontaudit_search_var_log',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ dontaudit $1 var_log_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## List the contents of the /var/log directory.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_list_var_log',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ list_dirs_pattern($1, var_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Read-write /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_rw_var_log_dirs',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ rw_dirs_pattern($1, var_log_t, var_log_t)
+')
+
+###########################################
+## <summary>
+## Append to files in the /var/log directories
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_var_log_append',`
+ gen_require(`
+ type var_log_t;
+ ')
+
+ append_files_pattern($1, var_log_t, var_log_t)
+')
+
+########################################
+## <summary>
+## Create objects in the /var/log directory
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="file_type">
+## <summary>
+## The type of the object to be created
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The object class.
+## </summary>
+## </param>
+#
+interface(`files_var_log_filetrans',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_t:dir search_dir_perms;
+ filetrans_pattern($1, var_log_t, $2, $3)
+')
+
+########################################
+## <summary>
+## Read generic files in /var/log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_files',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ allow $1 var_log_t:dir list_dir_perms;
+ read_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
+## <summary>
+## Read generic symbolic links in /var/log
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_read_var_log_symlinks',`
+ gen_require(`
+ type var_t, var_log_t;
+ ')
+
+ read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
+')
+
+########################################
## <summary>
## Search the locks directory (/var/lock).
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
--- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100
@@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
########################################
## <summary>
+## Allows to search the base
+## directory of sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+##
+#
+interface(`kernel_search_sysctl',`
+ gen_require(`
+ type sysctl_t;
+ ')
+
+ allow $1 sysctl_t:dir search;
+')
+
+########################################
+## <summary>
## Do not audit attempts by caller to search
## the base directory of sysctls.
## </summary>
@@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
')
########################################
+## <summary>
+## Allow caller to search filesystem sysctls.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_search_fs_sysctl',`
+ gen_require(`
+ type proc_t, sysctl_t, sysctl_fs_t;
+ ')
+
+ search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
+')
+
+########################################
## <summary>
## Read filesystem sysctls.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
--- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100
@@ -75,6 +75,25 @@ interface(`avahi_signull',`
########################################
## <summary>
+## Send a dbus message to avahi.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`avahi_dbus_send',`
+ gen_require(`
+ type avahi_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 avahi_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## avahi over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
--- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100
@@ -104,9 +104,17 @@ optional_policy(`
')
optional_policy(`
+ ntp_dbus_send(avahi_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(avahi_t)
')
optional_policy(`
udev_read_db(avahi_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(avahi_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
--- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100
@@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
########################################
## <summary>
+## Send a dbus message to
+## consolekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`consolekit_dbus_send',`
+ gen_require(`
+ type consolekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 consolekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## consolekit over dbus.
## </summary>
@@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
')
files_search_pids($1)
+ allow $1 consolekit_var_run_t:dir list_dir_perms;
read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
--- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
@@ -52,7 +52,7 @@ ifdef(`enable_mls',`
# dac_override: /var/run/dbus is owned by messagebus on Debian
# cjp: dac_override should probably go in a distro_debian
-allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
+allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
dontaudit system_dbusd_t self:capability sys_tty_config;
allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
@@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
domain_use_interactive_fds(system_dbusd_t)
domain_read_all_domains_state(system_dbusd_t)
+files_search_default(system_dbusd_t)
+files_read_default_files(system_dbusd_t)
files_read_etc_files(system_dbusd_t)
files_list_home(system_dbusd_t)
-files_read_usr_files(system_dbusd_t)
+files_exec_bin_files(system_dbusd_t)
+files_exec_usr_files(system_dbusd_t)
+files_read_var_lib_files(system_dbusd_t)
+files_var_log_append(system_dbusd_t)
init_use_fds(system_dbusd_t)
init_use_script_ptys(system_dbusd_t)
@@ -141,6 +146,24 @@ optional_policy(`
')
optional_policy(`
+ consolekit_read_pid_files(system_dbusd_t)
+ consolekit_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ devicekit_dbus_send_disk(system_dbusd_t)
+ devicekit_dbus_send_power(system_dbusd_t)
+')
+
+optional_policy(`
+ networkmanager_dbus_send(system_dbusd_t)
+')
+
+optional_policy(`
+ ntp_dbus_chat(system_dbusd_t)
+')
+
+optional_policy(`
policykit_dbus_chat(system_dbusd_t)
policykit_domtrans_auth(system_dbusd_t)
policykit_search_lib(system_dbusd_t)
@@ -154,6 +177,10 @@ optional_policy(`
udev_read_db(system_dbusd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_chat(system_dbusd_t)
+')
+
########################################
#
# Unconfined access to this module
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
--- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100
@@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
########################################
## <summary>
+## Send a dbus message to devicekit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send',`
+ gen_require(`
+ type devicekit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit over dbus.
## </summary>
@@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
########################################
## <summary>
+## Send a dbus message to devicekit disk.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_disk',`
+ gen_require(`
+ type devicekit_disk_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_disk_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit disk over dbus.
## </summary>
@@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
########################################
## <summary>
+## Send a dbus message to devicekit power.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_dbus_send_power',`
+ gen_require(`
+ type devicekit_power_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 devicekit_power_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## devicekit power over dbus.
## </summary>
@@ -183,3 +240,22 @@ interface(`devicekit_admin',`
admin_pattern($1, devicekit_var_run_t)
files_search_pids($1)
')
+
+########################################
+## <summary>
+## DeviceKit power getattr on APM
+## bios character device node files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`devicekit_getattr_apm_bios_files_power',`
+ gen_require(`
+ type apm_bios_t;
+ ')
+
+ getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
--- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100
@@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
+files_read_etc_runtime_files(devicekit_t)
miscfiles_read_localization(devicekit_t)
@@ -178,6 +179,10 @@ optional_policy(`
virt_manage_images(devicekit_disk_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_disk_t)
+')
+
########################################
#
# DeviceKit-Power local policy
@@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
+kernel_search_fs_sysctl(devicekit_power_t)
+kernel_rw_vm_sysctls(devicekit_power_t)
kernel_read_network_state(devicekit_power_t)
kernel_read_system_state(devicekit_power_t)
kernel_rw_hotplug_sysctls(devicekit_power_t)
kernel_rw_kernel_sysctl(devicekit_power_t)
kernel_search_debugfs(devicekit_power_t)
kernel_write_proc_files(devicekit_power_t)
+kernel_setsched(devicekit_power_t)
corecmd_exec_bin(devicekit_power_t)
corecmd_exec_shell(devicekit_power_t)
@@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
files_read_kernel_img(devicekit_power_t)
files_read_etc_files(devicekit_power_t)
+files_rw_etc_runtime_files(devicekit_power_t)
files_read_usr_files(devicekit_power_t)
fs_list_inotifyfs(devicekit_power_t)
+fs_remount_xattr_fs(devicekit_power_t)
term_use_all_terms(devicekit_power_t)
@@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
userdom_read_all_users_state(devicekit_power_t)
+devicekit_getattr_apm_bios_files_power(devicekit_power_t)
+
+mount_exec_getattr(devicekit_power_t)
+mount_exec(devicekit_power_t)
+
optional_policy(`
bootloader_domtrans(devicekit_power_t)
')
@@ -276,9 +291,17 @@ optional_policy(`
')
optional_policy(`
+ storage_raw_read_fixed_disk(devicekit_power_t)
+')
+
+optional_policy(`
udev_read_db(devicekit_power_t)
')
optional_policy(`
vbetool_domtrans(devicekit_power_t)
')
+
+optional_policy(`
+ xserver_xdm_dbus_send(devicekit_power_t)
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
--- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100
@@ -338,6 +338,10 @@ optional_policy(`
virt_manage_images(hald_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(hald_t)
+')
+
########################################
#
# Hal acl local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
--- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100
@@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
########################################
## <summary>
+## Send a dbus message to NetworkManager.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`networkmanager_dbus_send',`
+ gen_require(`
+ type NetworkManager_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 NetworkManager_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## NetworkManager over dbus.
## </summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
--- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100
@@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
sysnet_domtrans_ifconfig(NetworkManager_t)
sysnet_domtrans_dhcpc(NetworkManager_t)
sysnet_signal_dhcpc(NetworkManager_t)
+sysnet_read_dhcpc_state(NetworkManager_t)
sysnet_read_dhcpc_pid(NetworkManager_t)
sysnet_delete_dhcpc_pid(NetworkManager_t)
sysnet_search_dhcp_state(NetworkManager_t)
@@ -265,6 +266,10 @@ optional_policy(`
vpn_signull(NetworkManager_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(NetworkManager_t)
+')
+
########################################
#
# wpa_cli local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
--- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100
@@ -163,3 +163,62 @@ interface(`ntp_admin',`
files_list_pids($1)
admin_pattern($1, ntpd_var_run_t)
')
+
+########################################
+## <summary>
+## Send a dbus message to ntpd.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_send',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## ntpd over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_chat',`
+ gen_require(`
+ type ntpd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 ntpd_t:dbus send_msg;
+ allow ntpd_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Connect to dbus using a unix domain stream socket.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ntp_dbus_stream_connect',`
+ gen_require(`
+ type system_dbusd_t, system_dbusd_var_run_t;
+ ')
+
+ files_search_pids($1)
+ stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
+')
Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
--- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100
@@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
userdom_list_user_home_dirs(ntpd_t)
optional_policy(`
+ avahi_dbus_send(ntpd_t)
+')
+
+optional_policy(`
# for cron jobs
cron_system_entry(ntpd_t, ntpdate_exec_t)
')
optional_policy(`
+ ntp_dbus_stream_connect(ntpd_t)
+')
+
+optional_policy(`
gpsd_rw_shm(ntpd_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
--- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
@@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
allow plymouthd_t self:capability { sys_admin sys_tty_config };
dontaudit plymouthd_t self:capability dac_override;
-allow plymouthd_t self:process signal;
+allow plymouthd_t self:process { signal getsched };
allow plymouthd_t self:fifo_file rw_fifo_file_perms;
allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100
@@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send',`
+ gen_require(`
+ type setroubleshootd_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshootd_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
## setroubleshoot over dbus.
## </summary>
@@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
########################################
## <summary>
+## Send a dbus message to
+## setroubleshoot fixit.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`setroubleshoot_dbus_send_fixit',`
+ gen_require(`
+ type setroubleshoot_fixit_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 setroubleshoot_fixit_t:dbus send_msg;
+')
+
+########################################
+## <summary>
## Send and receive messages from
-## setroubleshoot over dbus.
+## setroubleshoot fixit over dbus.
## </summary>
## <param name="domain">
## <summary>
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
--- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100
@@ -125,12 +125,24 @@ optional_policy(`
')
optional_policy(`
+ locate_read_lib_files(setroubleshootd_t)
+')
+
+optional_policy(`
+ logging_dbus_send_dispatcher(setroubleshootd_t)
+')
+
+optional_policy(`
rpm_signull(setroubleshootd_t)
rpm_read_db(setroubleshootd_t)
rpm_dontaudit_manage_db(setroubleshootd_t)
rpm_use_script_fds(setroubleshootd_t)
')
+optional_policy(`
+ xserver_xdm_dbus_send(setroubleshootd_t)
+')
+
########################################
#
# setroubleshoot_fixit local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
--- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100
@@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
# for config
files_read_etc_files(fsdaemon_t)
+files_read_usr_files(fsdaemon_t)
+
fs_getattr_all_fs(fsdaemon_t)
fs_search_auto_mountpoints(fsdaemon_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
--- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100
@@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Send a dbus message to xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_send',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## xdm over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_xdm_dbus_chat',`
+ gen_require(`
+ type xdm_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 xdm_t:dbus send_msg;
+ allow xdm_t $1:dbus send_msg;
+')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
--- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
@@ -508,6 +508,10 @@ optional_policy(`
')
optional_policy(`
+ avahi_dbus_send(xdm_t)
+')
+
+optional_policy(`
consolekit_dbus_chat(xdm_t)
')
@@ -516,12 +520,21 @@ optional_policy(`
')
optional_policy(`
+ devicekit_dbus_send_disk(xdm_t)
+ devicekit_dbus_send_power(xdm_t)
+')
+
+optional_policy(`
# Talk to the console mouse server.
gpm_stream_connect(xdm_t)
gpm_setattr_gpmctl(xdm_t)
')
optional_policy(`
+ hal_dbus_send(xdm_t)
+')
+
+optional_policy(`
hostname_exec(xdm_t)
')
@@ -539,10 +552,18 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_dbus_send(xdm_t)
+')
+
+optional_policy(`
resmgr_stream_connect(xdm_t)
')
optional_policy(`
+ setroubleshoot_dbus_send(xdm_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(xdm_t)
')
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
--- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100
@@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
# is_selinux_enabled
kernel_read_system_state(chkpwd_t)
+kernel_search_sysctl(chkpwd_t)
+
domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
--- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100
@@ -947,6 +947,24 @@ interface(`init_read_state',`
########################################
## <summary>
+## Read init fifo file.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_read_fifo_file',`
+ gen_require(`
+ attribute init_t;
+ ')
+
+ read_fifo_files_pattern($1, init_t, init_t)
+')
+
+########################################
+## <summary>
## Ptrace init
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
--- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100
@@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
########################################
## <summary>
+## Send a dbus message to the audit
+## dispatcher.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_send_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+')
+
+########################################
+## <summary>
+## Send and receive messages from
+## the audit dispatcher over dbus.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`logging_dbus_chat_dispatcher',`
+ gen_require(`
+ type audisp_t;
+ class dbus send_msg;
+ ')
+
+ allow $1 audisp_t:dbus send_msg;
+ allow audisp_t $1:dbus send_msg;
+')
+
+########################################
+## <summary>
## Manage the auditd configuration files.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
--- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100
@@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
+allow audisp_t proc_t:file read_file_perms;
+
manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
@@ -246,6 +248,10 @@ optional_policy(`
dbus_system_bus_client(audisp_t)
')
+optional_policy(`
+ setroubleshoot_dbus_send(audisp_t)
+')
+
########################################
#
# Audit remote logger local policy
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
--- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
@@ -51,6 +51,25 @@ interface(`mount_run',`
########################################
## <summary>
+## Get the attributes of mount
+## executable files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_exec_getattr',`
+ gen_require(`
+ type mount_exec_t;
+ ')
+
+ allow $1 mount_exec_t:file getattr;
+')
+
+########################################
+## <summary>
## Execute mount in the caller domain.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
--- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
@@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
kernel_dontaudit_getattr_core_if(mount_t)
kernel_dontaudit_write_debugfs_dirs(mount_t)
kernel_dontaudit_write_proc_dirs(mount_t)
+kernel_setsched(mount_t)
# To load binfmt_misc kernel module
kernel_request_load_module(mount_t)
# required for mount.smbfs
corecmd_exec_bin(mount_t)
+# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
+# from initscripts
+corecmd_mmap_file_exec_shell(mount_t)
+
dev_getattr_all_blk_files(mount_t)
dev_list_all_dev_nodes(mount_t)
dev_read_sysfs(mount_t)
@@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
storage_raw_write_fixed_disk(mount_t)
storage_raw_read_removable_device(mount_t)
storage_raw_write_removable_device(mount_t)
+# needed for example by ntfs-3g
+storage_rw_fuse(mount_t)
term_use_all_terms(mount_t)
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
@@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
########################################
## <summary>
+## Search dhcp client state directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_search_dhcpc_state',`
+ gen_require(`
+ type dhcpc_state_t;
+ ')
+
+ search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
+')
+
+########################################
+## <summary>
## Read dhcp client state files.
## </summary>
## <param name="domain">
diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
--- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
+++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100
@@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
')
optional_policy(`
+ hal_read_pid_files(ifconfig_t)
hal_dontaudit_rw_pipes(ifconfig_t)
hal_dontaudit_rw_dgram_sockets(ifconfig_t)
')
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5186 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20110119/fa7ea8bb/attachment-0001.bin
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] RFC: patch to update git reference policy
2011-01-19 0:40 [refpolicy] RFC: patch to update git reference policy Guido Trentalancia
@ 2011-01-20 13:18 ` Christopher J. PeBenito
2011-01-20 17:32 ` Guido Trentalancia
0 siblings, 1 reply; 13+ messages in thread
From: Christopher J. PeBenito @ 2011-01-20 13:18 UTC (permalink / raw)
To: refpolicy
On 01/18/11 19:40, Guido Trentalancia wrote:
> Hello,
>
> I have created a set of two patches to update the git reference policy
> to run on a generic modern Linux system.
>
> Most changes are relative to the dbus system (send_msg capability). Some
> interfaces and a few file contexts have also been added for convenience.
> In particular /sbin/upstart is now labelled correctly (many
> distributions nowadays link /sbin/init to /sbin/upstart to leave some
> choice, so it is necessary to label the latter appropriately).
>
> Please send your comments and feel free to test intensively. Thanks.
There are too many changes in this patch and the other. Can you
resubmit, breaking each logically separate change into a different patch?
> diff -pruN refpolicy-git-18012011/policy/modules/services/dbus.fc refpolicy-git-18012011-new/policy/modules/services/dbus.fc
> --- refpolicy-git-18012011/policy/modules/services/dbus.fc 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-new/policy/modules/services/dbus.fc 2011-01-17 20:53:01.132703217 +0100
> @@ -1,11 +1,24 @@
> /etc/dbus-1(/.*)? gen_context(system_u:object_r:dbusd_etc_t,s0)
>
> /bin/dbus-daemon -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /lib/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> /lib64/dbus-1/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /usr/bin/dbus-daemon(-1)? -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-cleanup-sockets -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-launch -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-monitor -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-send -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-uuidgen -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +/usr/bin/dbus-binding-tool -- gen_context(system_u:object_r:dbusd_exec_t,s0)
> +
> /usr/libexec/dbus-daemon-launch-helper -- gen_context(system_u:object_r:dbusd_exec_t,s0)
>
> /var/lib/dbus(/.*)? gen_context(system_u:object_r:system_dbusd_var_lib_t,s0)
> diff -pruN refpolicy-git-18012011/policy/modules/system/init.fc refpolicy-git-18012011-new/policy/modules/system/init.fc
> --- refpolicy-git-18012011/policy/modules/system/init.fc 2011-01-08 19:07:21.350758412 +0100
> +++ refpolicy-git-18012011-new/policy/modules/system/init.fc 2011-01-17 20:35:02.785918606 +0100
> @@ -34,6 +34,8 @@ ifdef(`distro_gentoo', `
> # /sbin
> #
> /sbin/init(ng)? -- gen_context(system_u:object_r:init_exec_t,s0)
> +# because nowadays, /sbin/init is often a symlink to /sbin/upstart
> +/sbin/upstart -- gen_context(system_u:object_r:init_exec_t,s0)
>
> ifdef(`distro_gentoo', `
> /sbin/rc -- gen_context(system_u:object_r:initrc_exec_t,s0)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/admin/readahead.te refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te
> --- refpolicy-git-18012011/policy/modules/admin/readahead.te 2011-01-08 19:07:21.165729194 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/admin/readahead.te 2011-01-18 23:13:49.754846681 +0100
> @@ -79,6 +79,7 @@ term_dontaudit_use_console(readahead_t)
>
> auth_dontaudit_read_shadow(readahead_t)
>
> +init_read_fifo_file(readahead_t)
> init_use_fds(readahead_t)
> init_use_script_ptys(readahead_t)
> init_getattr_initctl(readahead_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/corecommands.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if
> --- refpolicy-git-18012011/policy/modules/kernel/corecommands.if 2011-01-08 19:07:21.197734248 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/corecommands.if 2011-01-18 23:13:49.755846822 +0100
> @@ -808,6 +808,27 @@ interface(`corecmd_check_exec_shell',`
>
> ########################################
> ## <summary>
> +## Allow mmap_file_perms on a shell
> +## executable.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`corecmd_mmap_file_exec_shell',`
> + gen_require(`
> + type bin_t, shell_exec_t;
> + ')
> +
> + list_dirs_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> + allow $1 shell_exec_t:file mmap_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Execute shells in the caller domain.
> ## </summary>
> ## <desc>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/files.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if
> --- refpolicy-git-18012011/policy/modules/kernel/files.if 2011-01-08 19:07:21.203735196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/files.if 2011-01-18 23:13:49.759847386 +0100
> @@ -4131,6 +4131,126 @@ interface(`files_purge_tmp',`
>
> ########################################
> ## <summary>
> +## Set the attributes of the /bin directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_setattr_bin_dirs',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir setattr;
> +')
> +
> +########################################
> +## <summary>
> +## Search the content of /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_search_bin',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## Get the attributes of files in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + getattr_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /bin.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to read generic
> +## files in /bin. These files are various program
> +## files that do not have more specific SELinux types.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_read_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + read_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Execute generic programs in /bin in the caller domain.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_exec_bin_files',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + allow $1 bin_t:dir list_dir_perms;
> + exec_files_pattern($1, bin_t, bin_t)
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read symbolic links in /bin.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_bin_symlinks',`
> + gen_require(`
> + type bin_t;
> + ')
> +
> + read_lnk_files_pattern($1, bin_t, bin_t)
> +')
> +
> +########################################
> +## <summary>
> ## Set the attributes of the /usr directory.
> ## </summary>
> ## <param name="domain">
> @@ -4149,7 +4269,7 @@ interface(`files_setattr_usr_dirs',`
>
> ########################################
> ## <summary>
> -## Search the content of /etc.
> +## Search the content of /usr.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> @@ -5070,6 +5190,196 @@ interface(`files_manage_mounttab',`
> ')
>
> ########################################
> +## <summary>
> +## Get the attributes of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_getattr_var_log_dirs',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + getattr_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Search the /var/log directory.
> +## </summary>
> +## <desc>
> +## <p>
> +## Search the /var/log directory. This is
> +## necessary to access files or directories under
> +## /var/log that have a private type. For example, a
> +## domain accessing a private log file in the
> +## /var/log directory:
> +## </p>
> +## <p>
> +## allow mydomain_t mylogfile_t:file read_file_perms;
> +## files_search_var_log(mydomain_t)
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_search_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + search_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Do not audit attempts to search the
> +## contents of /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="5"/>
> +#
> +interface(`files_dontaudit_search_var_log',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + dontaudit $1 var_log_t:dir search_dir_perms;
> +')
> +
> +########################################
> +## <summary>
> +## List the contents of the /var/log directory.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_list_var_log',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + list_dirs_pattern($1, var_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Read-write /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_rw_var_log_dirs',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + rw_dirs_pattern($1, var_log_t, var_log_t)
> +')
> +
> +###########################################
> +## <summary>
> +## Append to files in the /var/log directories
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_append',`
> + gen_require(`
> + type var_log_t;
> + ')
> +
> + append_files_pattern($1, var_log_t, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Create objects in the /var/log directory
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <param name="file_type">
> +## <summary>
> +## The type of the object to be created
> +## </summary>
> +## </param>
> +## <param name="object_class">
> +## <summary>
> +## The object class.
> +## </summary>
> +## </param>
> +#
> +interface(`files_var_log_filetrans',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_t:dir search_dir_perms;
> + filetrans_pattern($1, var_log_t, $2, $3)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic files in /var/log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_files',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + allow $1 var_log_t:dir list_dir_perms;
> + read_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> +## <summary>
> +## Read generic symbolic links in /var/log
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_read_var_log_symlinks',`
> + gen_require(`
> + type var_t, var_log_t;
> + ')
> +
> + read_lnk_files_pattern($1, { var_t var_log_t }, var_log_t)
> +')
> +
> +########################################
> ## <summary>
> ## Search the locks directory (/var/lock).
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/kernel/kernel.if refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if
> --- refpolicy-git-18012011/policy/modules/kernel/kernel.if 2011-01-17 19:36:10.808130722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/kernel/kernel.if 2011-01-18 23:13:49.763847950 +0100
> @@ -1406,6 +1406,26 @@ interface(`kernel_dontaudit_list_all_pro
>
> ########################################
> ## <summary>
> +## Allows to search the base
> +## directory of sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +##
> +#
> +interface(`kernel_search_sysctl',`
> + gen_require(`
> + type sysctl_t;
> + ')
> +
> + allow $1 sysctl_t:dir search;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts by caller to search
> ## the base directory of sysctls.
> ## </summary>
> @@ -1873,6 +1893,24 @@ interface(`kernel_rw_kernel_sysctl',`
> ')
>
> ########################################
> +## <summary>
> +## Allow caller to search filesystem sysctls.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_search_fs_sysctl',`
> + gen_require(`
> + type proc_t, sysctl_t, sysctl_fs_t;
> + ')
> +
> + search_dirs_pattern($1, { proc_t sysctl_t }, sysctl_fs_t)
> +')
> +
> +########################################
> ## <summary>
> ## Read filesystem sysctls.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.if refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if
> --- refpolicy-git-18012011/policy/modules/services/avahi.if 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.if 2011-01-18 23:38:58.297498219 +0100
> @@ -75,6 +75,25 @@ interface(`avahi_signull',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to avahi.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`avahi_dbus_send',`
> + gen_require(`
> + type avahi_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 avahi_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## avahi over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/avahi.te refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te
> --- refpolicy-git-18012011/policy/modules/services/avahi.te 2011-01-08 19:07:21.224738512 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/avahi.te 2011-01-19 01:20:50.132124585 +0100
> @@ -104,9 +104,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ntp_dbus_send(avahi_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(avahi_t)
> ')
>
> optional_policy(`
> udev_read_db(avahi_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(avahi_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/consolekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if
> --- refpolicy-git-18012011/policy/modules/services/consolekit.if 2011-01-08 19:07:21.232739776 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/consolekit.if 2011-01-18 23:13:49.767848514 +0100
> @@ -20,6 +20,26 @@ interface(`consolekit_domtrans',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## consolekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`consolekit_dbus_send',`
> + gen_require(`
> + type consolekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 consolekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## consolekit over dbus.
> ## </summary>
> @@ -93,5 +113,6 @@ interface(`consolekit_read_pid_files',`
> ')
>
> files_search_pids($1)
> + allow $1 consolekit_var_run_t:dir list_dir_perms;
> read_files_pattern($1, consolekit_var_run_t, consolekit_var_run_t)
> ')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/dbus.te refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te
> --- refpolicy-git-18012011/policy/modules/services/dbus.te 2011-01-08 19:07:21.238740722 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/dbus.te 2011-01-18 23:13:49.790851763 +0100
> @@ -52,7 +52,7 @@ ifdef(`enable_mls',`
>
> # dac_override: /var/run/dbus is owned by messagebus on Debian
> # cjp: dac_override should probably go in a distro_debian
> -allow system_dbusd_t self:capability { dac_override setgid setpcap setuid };
> +allow system_dbusd_t self:capability { dac_override setgid setpcap setuid sys_ptrace };
> dontaudit system_dbusd_t self:capability sys_tty_config;
> allow system_dbusd_t self:process { getattr getsched signal_perms setpgid getcap setcap };
> allow system_dbusd_t self:fifo_file rw_fifo_file_perms;
> @@ -115,9 +115,14 @@ corecmd_read_bin_sockets(system_dbusd_t)
> domain_use_interactive_fds(system_dbusd_t)
> domain_read_all_domains_state(system_dbusd_t)
>
> +files_search_default(system_dbusd_t)
> +files_read_default_files(system_dbusd_t)
> files_read_etc_files(system_dbusd_t)
> files_list_home(system_dbusd_t)
> -files_read_usr_files(system_dbusd_t)
> +files_exec_bin_files(system_dbusd_t)
> +files_exec_usr_files(system_dbusd_t)
> +files_read_var_lib_files(system_dbusd_t)
> +files_var_log_append(system_dbusd_t)
>
> init_use_fds(system_dbusd_t)
> init_use_script_ptys(system_dbusd_t)
> @@ -141,6 +146,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + consolekit_read_pid_files(system_dbusd_t)
> + consolekit_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + devicekit_dbus_send_disk(system_dbusd_t)
> + devicekit_dbus_send_power(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + networkmanager_dbus_send(system_dbusd_t)
> +')
> +
> +optional_policy(`
> + ntp_dbus_chat(system_dbusd_t)
> +')
> +
> +optional_policy(`
> policykit_dbus_chat(system_dbusd_t)
> policykit_domtrans_auth(system_dbusd_t)
> policykit_search_lib(system_dbusd_t)
> @@ -154,6 +177,10 @@ optional_policy(`
> udev_read_db(system_dbusd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_chat(system_dbusd_t)
> +')
> +
> ########################################
> #
> # Unconfined access to this module
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.if refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if
> --- refpolicy-git-18012011/policy/modules/services/devicekit.if 2011-01-08 19:07:21.240741038 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.if 2011-01-18 23:13:49.791851900 +0100
> @@ -39,6 +39,25 @@ interface(`devicekit_dgram_send',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send',`
> + gen_require(`
> + type devicekit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit over dbus.
> ## </summary>
> @@ -60,6 +79,25 @@ interface(`devicekit_dbus_chat',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit disk.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_disk',`
> + gen_require(`
> + type devicekit_disk_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_disk_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit disk over dbus.
> ## </summary>
> @@ -99,6 +137,25 @@ interface(`devicekit_signal_power',`
>
> ########################################
> ## <summary>
> +## Send a dbus message to devicekit power.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_dbus_send_power',`
> + gen_require(`
> + type devicekit_power_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 devicekit_power_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## devicekit power over dbus.
> ## </summary>
> @@ -183,3 +240,22 @@ interface(`devicekit_admin',`
> admin_pattern($1, devicekit_var_run_t)
> files_search_pids($1)
> ')
> +
> +########################################
> +## <summary>
> +## DeviceKit power getattr on APM
> +## bios character device node files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`devicekit_getattr_apm_bios_files_power',`
> + gen_require(`
> + type apm_bios_t;
> + ')
> +
> + getattr_chr_files_pattern($1, apm_bios_t, apm_bios_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/devicekit.te refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te
> --- refpolicy-git-18012011/policy/modules/services/devicekit.te 2011-01-08 19:07:21.241741196 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/devicekit.te 2011-01-18 23:13:49.792852039 +0100
> @@ -43,6 +43,7 @@ dev_read_sysfs(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> +files_read_etc_runtime_files(devicekit_t)
>
> miscfiles_read_localization(devicekit_t)
>
> @@ -178,6 +179,10 @@ optional_policy(`
> virt_manage_images(devicekit_disk_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_disk_t)
> +')
> +
> ########################################
> #
> # DeviceKit-Power local policy
> @@ -193,12 +198,15 @@ manage_dirs_pattern(devicekit_power_t, d
> manage_files_pattern(devicekit_power_t, devicekit_var_lib_t, devicekit_var_lib_t)
> files_var_lib_filetrans(devicekit_power_t, devicekit_var_lib_t, dir)
>
> +kernel_search_fs_sysctl(devicekit_power_t)
> +kernel_rw_vm_sysctls(devicekit_power_t)
> kernel_read_network_state(devicekit_power_t)
> kernel_read_system_state(devicekit_power_t)
> kernel_rw_hotplug_sysctls(devicekit_power_t)
> kernel_rw_kernel_sysctl(devicekit_power_t)
> kernel_search_debugfs(devicekit_power_t)
> kernel_write_proc_files(devicekit_power_t)
> +kernel_setsched(devicekit_power_t)
>
> corecmd_exec_bin(devicekit_power_t)
> corecmd_exec_shell(devicekit_power_t)
> @@ -215,9 +223,11 @@ dev_rw_sysfs(devicekit_power_t)
>
> files_read_kernel_img(devicekit_power_t)
> files_read_etc_files(devicekit_power_t)
> +files_rw_etc_runtime_files(devicekit_power_t)
> files_read_usr_files(devicekit_power_t)
>
> fs_list_inotifyfs(devicekit_power_t)
> +fs_remount_xattr_fs(devicekit_power_t)
>
> term_use_all_terms(devicekit_power_t)
>
> @@ -230,6 +240,11 @@ sysnet_domtrans_ifconfig(devicekit_power
>
> userdom_read_all_users_state(devicekit_power_t)
>
> +devicekit_getattr_apm_bios_files_power(devicekit_power_t)
> +
> +mount_exec_getattr(devicekit_power_t)
> +mount_exec(devicekit_power_t)
> +
> optional_policy(`
> bootloader_domtrans(devicekit_power_t)
> ')
> @@ -276,9 +291,17 @@ optional_policy(`
> ')
>
> optional_policy(`
> + storage_raw_read_fixed_disk(devicekit_power_t)
> +')
> +
> +optional_policy(`
> udev_read_db(devicekit_power_t)
> ')
>
> optional_policy(`
> vbetool_domtrans(devicekit_power_t)
> ')
> +
> +optional_policy(`
> + xserver_xdm_dbus_send(devicekit_power_t)
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/hal.te refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te
> --- refpolicy-git-18012011/policy/modules/services/hal.te 2011-01-08 19:07:21.252742934 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/hal.te 2011-01-18 23:13:49.794852319 +0100
> @@ -338,6 +338,10 @@ optional_policy(`
> virt_manage_images(hald_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(hald_t)
> +')
> +
> ########################################
> #
> # Hal acl local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.if refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.if 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.if 2011-01-18 23:13:49.795852460 +0100
> @@ -116,6 +116,25 @@ interface(`networkmanager_initrc_domtran
>
> ########################################
> ## <summary>
> +## Send a dbus message to NetworkManager.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`networkmanager_dbus_send',`
> + gen_require(`
> + type NetworkManager_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 NetworkManager_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## NetworkManager over dbus.
> ## </summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/networkmanager.te refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te
> --- refpolicy-git-18012011/policy/modules/services/networkmanager.te 2011-01-08 19:07:21.269745618 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/networkmanager.te 2011-01-18 23:13:49.796852601 +0100
> @@ -140,6 +140,7 @@ seutil_read_config(NetworkManager_t)
> sysnet_domtrans_ifconfig(NetworkManager_t)
> sysnet_domtrans_dhcpc(NetworkManager_t)
> sysnet_signal_dhcpc(NetworkManager_t)
> +sysnet_read_dhcpc_state(NetworkManager_t)
> sysnet_read_dhcpc_pid(NetworkManager_t)
> sysnet_delete_dhcpc_pid(NetworkManager_t)
> sysnet_search_dhcp_state(NetworkManager_t)
> @@ -265,6 +266,10 @@ optional_policy(`
> vpn_signull(NetworkManager_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(NetworkManager_t)
> +')
> +
> ########################################
> #
> # wpa_cli local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.if refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if
> --- refpolicy-git-18012011/policy/modules/services/ntp.if 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.if 2011-01-18 23:13:49.798852883 +0100
> @@ -163,3 +163,62 @@ interface(`ntp_admin',`
> files_list_pids($1)
> admin_pattern($1, ntpd_var_run_t)
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to ntpd.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_send',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## ntpd over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_chat',`
> + gen_require(`
> + type ntpd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 ntpd_t:dbus send_msg;
> + allow ntpd_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Connect to dbus using a unix domain stream socket.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ntp_dbus_stream_connect',`
> + gen_require(`
> + type system_dbusd_t, system_dbusd_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + stream_connect_pattern($1, system_dbusd_var_run_t, system_dbusd_var_run_t, system_dbusd_t)
> +')
> Binary files refpolicy-git-18012011/policy/modules/services/.ntp.if.swp and refpolicy-git-18012011-minimum-update/policy/modules/services/.ntp.if.swp differ
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/ntp.te refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te
> --- refpolicy-git-18012011/policy/modules/services/ntp.te 2011-01-08 19:07:21.272746092 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/ntp.te 2011-01-18 23:40:27.459838030 +0100
> @@ -125,11 +125,19 @@ userdom_dontaudit_use_unpriv_user_fds(nt
> userdom_list_user_home_dirs(ntpd_t)
>
> optional_policy(`
> + avahi_dbus_send(ntpd_t)
> +')
> +
> +optional_policy(`
> # for cron jobs
> cron_system_entry(ntpd_t, ntpdate_exec_t)
> ')
>
> optional_policy(`
> + ntp_dbus_stream_connect(ntpd_t)
> +')
> +
> +optional_policy(`
> gpsd_rw_shm(ntpd_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/plymouthd.te refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te
> --- refpolicy-git-18012011/policy/modules/services/plymouthd.te 2011-01-08 19:07:21.280747356 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/plymouthd.te 2011-01-18 23:13:49.800853165 +0100
> @@ -29,7 +29,7 @@ files_pid_file(plymouthd_var_run_t)
>
> allow plymouthd_t self:capability { sys_admin sys_tty_config };
> dontaudit plymouthd_t self:capability dac_override;
> -allow plymouthd_t self:process signal;
> +allow plymouthd_t self:process { signal getsched };
> allow plymouthd_t self:fifo_file rw_fifo_file_perms;
> allow plymouthd_t self:unix_stream_socket create_stream_socket_perms;
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.if refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.if 2011-01-08 19:07:21.304751146 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.if 2011-01-18 23:13:49.801853306 +0100
> @@ -42,6 +42,26 @@ interface(`setroubleshoot_dontaudit_stre
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send',`
> + gen_require(`
> + type setroubleshootd_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshootd_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> ## setroubleshoot over dbus.
> ## </summary>
> @@ -84,8 +104,28 @@ interface(`setroubleshoot_dontaudit_dbus
>
> ########################################
> ## <summary>
> +## Send a dbus message to
> +## setroubleshoot fixit.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`setroubleshoot_dbus_send_fixit',`
> + gen_require(`
> + type setroubleshoot_fixit_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 setroubleshoot_fixit_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Send and receive messages from
> -## setroubleshoot over dbus.
> +## setroubleshoot fixit over dbus.
> ## </summary>
> ## <param name="domain">
> ## <summary>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/setroubleshoot.te refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te
> --- refpolicy-git-18012011/policy/modules/services/setroubleshoot.te 2011-01-08 19:07:21.305751304 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/setroubleshoot.te 2011-01-18 23:13:49.802853447 +0100
> @@ -125,12 +125,24 @@ optional_policy(`
> ')
>
> optional_policy(`
> + locate_read_lib_files(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> + logging_dbus_send_dispatcher(setroubleshootd_t)
> +')
> +
> +optional_policy(`
> rpm_signull(setroubleshootd_t)
> rpm_read_db(setroubleshootd_t)
> rpm_dontaudit_manage_db(setroubleshootd_t)
> rpm_use_script_fds(setroubleshootd_t)
> ')
>
> +optional_policy(`
> + xserver_xdm_dbus_send(setroubleshootd_t)
> +')
> +
> ########################################
> #
> # setroubleshoot_fixit local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/smartmon.te refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te
> --- refpolicy-git-18012011/policy/modules/services/smartmon.te 2011-01-08 19:07:21.326754622 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/smartmon.te 2011-01-18 23:13:49.803853588 +0100
> @@ -73,6 +73,8 @@ files_read_etc_runtime_files(fsdaemon_t)
> # for config
> files_read_etc_files(fsdaemon_t)
>
> +files_read_usr_files(fsdaemon_t)
> +
> fs_getattr_all_fs(fsdaemon_t)
> fs_search_auto_mountpoints(fsdaemon_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.if refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if
> --- refpolicy-git-18012011/policy/modules/services/xserver.if 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.if 2011-01-18 23:13:49.804853729 +0100
> @@ -1250,3 +1250,43 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Send a dbus message to xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_send',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## xdm over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_xdm_dbus_chat',`
> + gen_require(`
> + type xdm_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 xdm_t:dbus send_msg;
> + allow xdm_t $1:dbus send_msg;
> +')
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/services/xserver.te refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te
> --- refpolicy-git-18012011/policy/modules/services/xserver.te 2011-01-08 19:07:21.344757464 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/services/xserver.te 2011-01-18 23:13:49.806854011 +0100
> @@ -508,6 +508,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + avahi_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> consolekit_dbus_chat(xdm_t)
> ')
>
> @@ -516,12 +520,21 @@ optional_policy(`
> ')
>
> optional_policy(`
> + devicekit_dbus_send_disk(xdm_t)
> + devicekit_dbus_send_power(xdm_t)
> +')
> +
> +optional_policy(`
> # Talk to the console mouse server.
> gpm_stream_connect(xdm_t)
> gpm_setattr_gpmctl(xdm_t)
> ')
>
> optional_policy(`
> + hal_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> hostname_exec(xdm_t)
> ')
>
> @@ -539,10 +552,18 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> resmgr_stream_connect(xdm_t)
> ')
>
> optional_policy(`
> + setroubleshoot_dbus_send(xdm_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(xdm_t)
> ')
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/authlogin.te refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te
> --- refpolicy-git-18012011/policy/modules/system/authlogin.te 2011-01-08 19:07:21.347757938 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/authlogin.te 2011-01-18 23:13:49.808854293 +0100
> @@ -91,6 +91,8 @@ files_list_etc(chkpwd_t)
> # is_selinux_enabled
> kernel_read_system_state(chkpwd_t)
>
> +kernel_search_sysctl(chkpwd_t)
> +
> domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/init.if refpolicy-git-18012011-minimum-update/policy/modules/system/init.if
> --- refpolicy-git-18012011/policy/modules/system/init.if 2011-01-08 19:07:21.351758570 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/init.if 2011-01-18 23:13:49.809854434 +0100
> @@ -947,6 +947,24 @@ interface(`init_read_state',`
>
> ########################################
> ## <summary>
> +## Read init fifo file.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_read_fifo_file',`
> + gen_require(`
> + attribute init_t;
> + ')
> +
> + read_fifo_files_pattern($1, init_t, init_t)
> +')
> +
> +########################################
> +## <summary>
> ## Ptrace init
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.if refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if
> --- refpolicy-git-18012011/policy/modules/system/logging.if 2011-01-08 19:07:21.355759202 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.if 2011-01-18 23:13:49.812854857 +0100
> @@ -337,6 +337,47 @@ interface(`logging_stream_connect_dispat
>
> ########################################
> ## <summary>
> +## Send a dbus message to the audit
> +## dispatcher.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_send_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> +## Send and receive messages from
> +## the audit dispatcher over dbus.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`logging_dbus_chat_dispatcher',`
> + gen_require(`
> + type audisp_t;
> + class dbus send_msg;
> + ')
> +
> + allow $1 audisp_t:dbus send_msg;
> + allow audisp_t $1:dbus send_msg;
> +')
> +
> +########################################
> +## <summary>
> ## Manage the auditd configuration files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/logging.te refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te
> --- refpolicy-git-18012011/policy/modules/system/logging.te 2011-01-08 19:07:21.356759360 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/logging.te 2011-01-18 23:13:49.813854998 +0100
> @@ -223,6 +223,8 @@ allow audisp_t self:unix_dgram_socket cr
>
> allow audisp_t auditd_t:unix_stream_socket rw_socket_perms;
>
> +allow audisp_t proc_t:file read_file_perms;
> +
> manage_sock_files_pattern(audisp_t, audisp_var_run_t, audisp_var_run_t)
> files_pid_filetrans(audisp_t, audisp_var_run_t, sock_file)
>
> @@ -246,6 +248,10 @@ optional_policy(`
> dbus_system_bus_client(audisp_t)
> ')
>
> +optional_policy(`
> + setroubleshoot_dbus_send(audisp_t)
> +')
> +
> ########################################
> #
> # Audit remote logger local policy
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.if refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if
> --- refpolicy-git-18012011/policy/modules/system/mount.if 2011-01-08 19:07:21.358759676 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.if 2011-01-18 23:13:49.814855139 +0100
> @@ -51,6 +51,25 @@ interface(`mount_run',`
>
> ########################################
> ## <summary>
> +## Get the attributes of mount
> +## executable files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_exec_getattr',`
> + gen_require(`
> + type mount_exec_t;
> + ')
> +
> + allow $1 mount_exec_t:file getattr;
> +')
> +
> +########################################
> +## <summary>
> ## Execute mount in the caller domain.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/mount.te refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te
> --- refpolicy-git-18012011/policy/modules/system/mount.te 2011-01-17 19:36:10.814131755 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/mount.te 2011-01-19 01:01:20.531005215 +0100
> @@ -51,12 +51,17 @@ kernel_read_kernel_sysctls(mount_t)
> kernel_dontaudit_getattr_core_if(mount_t)
> kernel_dontaudit_write_debugfs_dirs(mount_t)
> kernel_dontaudit_write_proc_dirs(mount_t)
> +kernel_setsched(mount_t)
> # To load binfmt_misc kernel module
> kernel_request_load_module(mount_t)
>
> # required for mount.smbfs
> corecmd_exec_bin(mount_t)
>
> +# required for mounting nonfs,nfs4,smbfs,ncpfs,cifs,gfs,gfs2
> +# from initscripts
> +corecmd_mmap_file_exec_shell(mount_t)
> +
> dev_getattr_all_blk_files(mount_t)
> dev_list_all_dev_nodes(mount_t)
> dev_read_sysfs(mount_t)
> @@ -108,6 +113,8 @@ storage_raw_read_fixed_disk(mount_t)
> storage_raw_write_fixed_disk(mount_t)
> storage_raw_read_removable_device(mount_t)
> storage_raw_write_removable_device(mount_t)
> +# needed for example by ntfs-3g
> +storage_rw_fuse(mount_t)
>
> term_use_all_terms(mount_t)
>
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.if refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.if 2011-01-08 19:07:21.362760308 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.if 2011-01-18 23:13:49.817855562 +0100
> @@ -215,6 +215,24 @@ interface(`sysnet_rw_dhcp_config',`
>
> ########################################
> ## <summary>
> +## Search dhcp client state directories.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_search_dhcpc_state',`
> + gen_require(`
> + type dhcpc_state_t;
> + ')
> +
> + search_dirs_pattern($1, dhcpc_state_t, dhcpc_state_t)
> +')
> +
> +########################################
> +## <summary>
> ## Read dhcp client state files.
> ## </summary>
> ## <param name="domain">
> diff -pruN -x .git refpolicy-git-18012011/policy/modules/system/sysnetwork.te refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te
> --- refpolicy-git-18012011/policy/modules/system/sysnetwork.te 2011-01-08 19:07:21.363760466 +0100
> +++ refpolicy-git-18012011-minimum-update/policy/modules/system/sysnetwork.te 2011-01-18 23:13:49.818855703 +0100
> @@ -325,6 +325,7 @@ ifdef(`hide_broken_symptoms',`
> ')
>
> optional_policy(`
> + hal_read_pid_files(ifconfig_t)
> hal_dontaudit_rw_pipes(ifconfig_t)
> hal_dontaudit_rw_dgram_sockets(ifconfig_t)
> ')
>
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] RFC: patch to update git reference policy
2011-01-20 13:18 ` Christopher J. PeBenito
@ 2011-01-20 17:32 ` Guido Trentalancia
2011-01-21 12:37 ` Christopher J. PeBenito
0 siblings, 1 reply; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-20 17:32 UTC (permalink / raw)
To: refpolicy
Hello Christopher,
thanks for getting back !
On Thu, 20/01/2011 at 08.18 -0500, Christopher J. PeBenito wrote:
> On 01/18/11 19:40, Guido Trentalancia wrote:
> > Hello,
> >
> > I have created a set of two patches to update the git reference policy
> > to run on a generic modern Linux system.
>
> There are too many changes in this patch and the other. Can you
> resubmit, breaking each logically separate change into a different patch?
Yes, I think that can be done, although it might take some time. But
what do you mean exactly for "logically separate" ?
In truth both patches are not logically separated, because of their
common aim to update refpolicy to work on a modern installation more or
less by adding some missing permissions.
I could create a separate patch for each module x (x.fc, x.if, x.te)...
I am not sure this is what you meant. For example, I have (almost) never
created a bidirectional dbus:send_msg permission in a module, but rather
split them in two unidirectional dbus:send_msg permissions in the two
modules that are relevant in that case. So, in this example, splitting
the patch according to modules would break that logic because each
module just implements a unidirectional dbus:send_msg (relative to its
own context only) and the single patch won't completely solve the issue.
Please let me know.
Regards,
Guido
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] RFC: patch to update git reference policy
2011-01-20 17:32 ` Guido Trentalancia
@ 2011-01-21 12:37 ` Christopher J. PeBenito
2011-01-24 0:43 ` [refpolicy] [PATCH/RFC 0/19]: patch set to update the " Guido Trentalancia
0 siblings, 1 reply; 13+ messages in thread
From: Christopher J. PeBenito @ 2011-01-21 12:37 UTC (permalink / raw)
To: refpolicy
On 01/20/11 12:32, Guido Trentalancia wrote:
> Hello Christopher,
>
> thanks for getting back !
>
> On Thu, 20/01/2011 at 08.18 -0500, Christopher J. PeBenito wrote:
>> On 01/18/11 19:40, Guido Trentalancia wrote:
>>> Hello,
>>>
>>> I have created a set of two patches to update the git reference policy
>>> to run on a generic modern Linux system.
>>
>> There are too many changes in this patch and the other. Can you
>> resubmit, breaking each logically separate change into a different patch?
>
> Yes, I think that can be done, although it might take some time. But
> what do you mean exactly for "logically separate" ?
An example is adding a new interface and adding calls for it in other
modules. It looks like you have a bunch of dbus messaging additions;
you can make that one patch.
> In truth both patches are not logically separated, because of their
> common aim to update refpolicy to work on a modern installation more or
> less by adding some missing permissions.
That means its a pile of logical changes.
> I could create a separate patch for each module x (x.fc, x.if, x.te)...
>
> I am not sure this is what you meant. For example, I have (almost) never
> created a bidirectional dbus:send_msg permission in a module, but rather
> split them in two unidirectional dbus:send_msg permissions in the two
> modules that are relevant in that case. So, in this example, splitting
> the patch according to modules would break that logic because each
> module just implements a unidirectional dbus:send_msg (relative to its
> own context only) and the single patch won't completely solve the issue.
Definitely not what I meant.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-21 12:37 ` Christopher J. PeBenito
@ 2011-01-24 0:43 ` Guido Trentalancia
2011-01-24 15:01 ` Dominick Grift
[not found] ` <4D471319.2000907@tresys.com>
0 siblings, 2 replies; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-24 0:43 UTC (permalink / raw)
To: refpolicy
Hello again !
I am resubmitting the changes that I proposed a few days ago for the
latest reference policy. There are a few additions and now the patch has
been split into a set of 19 logical patches.
However, there might be unavoidable dependencies between a few patches.
I have applied the patches in the following order (and I cannot
guarantee that they can still be applied in a different order,
especially because of the above mentioned dependencies, e.g. on new
interfaces):
1/19: refpolicy-git-18012011-update-file-contexts.patch
2/19: refpolicy-git-18012011-update-dbus-messaging.patch
3/19: refpolicy-git-18012011-update-readahead.patch
4/19: refpolicy-git-18012011-update-cpufreqselector.patch
5/19: refpolicy-git-18012011-update-mount.patch
6/19: refpolicy-git-18012011-update-kernel-new-interfaces.patch
7/19: refpolicy-git-18012011-update-sysadm-role.patch
8/19: refpolicy-git-18012011-update-dbus.patch
9/19: refpolicy-git-18012011-update-devicekit.patch
10/19: refpolicy-git-18012011-update-networkmanager.patch
11/19: refpolicy-git-18012011-update-setroubleshoot.patch
12/19: refpolicy-git-18012011-update-smartmon.patch
13/19: refpolicy-git-18012011-update-authlogin.patch
14/19: refpolicy-git-18012011-update-logging.patch
15/19: refpolicy-git-18012011-update-selinuxutil.patch
16/19: refpolicy-git-18012011-update-sysnetwork-new-interface.patch
17/19: refpolicy-git-18012011-update-sysnetwork-hal-read-pid-files.patch
18/19: refpolicy-git-18012011-update-consolekit.patch
19/19: refpolicy-git-18012011-update-plymouth.patch
In general, this is a starting point, because I could not test all
available modules, but in the future I might submit other patches for
other modules.
I have only tested the resulting policy with the following build
configuration:
TYPE=mcs DISTRO=redhat MONOLITHIC=n UBAC=n
however I don't expect many issues with other kinds of builds.
As already explained, the patch set aims to update some permissions
needed on a modern generic Linux system. I have not used any specific
distribution and all packages are in general latest upstream versions.
Thanks very much for your attention and for your time. The patch set
follows in separate messages to the Reference Policy mailing list having
the subject "[PATCH/RFC x/19]: patch set to update the git reference
policy", with the integer x varying from 1 to 19.
Regards,
Guido Trentalancia
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-24 0:43 ` [refpolicy] [PATCH/RFC 0/19]: patch set to update the " Guido Trentalancia
@ 2011-01-24 15:01 ` Dominick Grift
2011-01-24 15:56 ` Guido Trentalancia
[not found] ` <4D471319.2000907@tresys.com>
1 sibling, 1 reply; 13+ messages in thread
From: Dominick Grift @ 2011-01-24 15:01 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> Hello again !
>
> I am resubmitting the changes that I proposed a few days ago for the
> latest reference policy. There are a few additions and now the patch has
> been split into a set of 19 logical patches.
>
> However, there might be unavoidable dependencies between a few patches.
>
> I have applied the patches in the following order (and I cannot
> guarantee that they can still be applied in a different order,
> especially because of the above mentioned dependencies, e.g. on new
> interfaces):
>
> 1/19: refpolicy-git-18012011-update-file-contexts.patch
> 2/19: refpolicy-git-18012011-update-dbus-messaging.patch
> 3/19: refpolicy-git-18012011-update-readahead.patch
> 4/19: refpolicy-git-18012011-update-cpufreqselector.patch
> 5/19: refpolicy-git-18012011-update-mount.patch
> 6/19: refpolicy-git-18012011-update-kernel-new-interfaces.patch
> 7/19: refpolicy-git-18012011-update-sysadm-role.patch
> 8/19: refpolicy-git-18012011-update-dbus.patch
> 9/19: refpolicy-git-18012011-update-devicekit.patch
> 10/19: refpolicy-git-18012011-update-networkmanager.patch
> 11/19: refpolicy-git-18012011-update-setroubleshoot.patch
> 12/19: refpolicy-git-18012011-update-smartmon.patch
> 13/19: refpolicy-git-18012011-update-authlogin.patch
> 14/19: refpolicy-git-18012011-update-logging.patch
> 15/19: refpolicy-git-18012011-update-selinuxutil.patch
> 16/19: refpolicy-git-18012011-update-sysnetwork-new-interface.patch
> 17/19: refpolicy-git-18012011-update-sysnetwork-hal-read-pid-files.patch
> 18/19: refpolicy-git-18012011-update-consolekit.patch
> 19/19: refpolicy-git-18012011-update-plymouth.patch
>
> In general, this is a starting point, because I could not test all
> available modules, but in the future I might submit other patches for
> other modules.
>
> I have only tested the resulting policy with the following build
> configuration:
>
> TYPE=mcs DISTRO=redhat MONOLITHIC=n UBAC=n
>
> however I don't expect many issues with other kinds of builds.
>
> As already explained, the patch set aims to update some permissions
> needed on a modern generic Linux system. I have not used any specific
> distribution and all packages are in general latest upstream versions.
>
> Thanks very much for your attention and for your time. The patch set
> follows in separate messages to the Reference Policy mailing list having
> the subject "[PATCH/RFC x/19]: patch set to update the git reference
> policy", with the integer x varying from 1 to 19.
I did a quick review of your policy and commented inline. I think most
of it is probably not acceptable at this point unfortunately.
It may be beneficial to get even more familiar with reference policy and
the concepts/security goals it uses.
You may also find my latest screencast called: introduction to policy
writing, inspiring and hopefully informative:
http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
> Regards,
>
> Guido Trentalancia
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09lFYACgkQMlxVo39jgT9MvACfTXq7jOqVpWjSY9mHMIAaX0fW
GDEAn10cm3cAaJgoxnT+Yyejs0BsehP9
=H55E
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-24 15:01 ` Dominick Grift
@ 2011-01-24 15:56 ` Guido Trentalancia
2011-01-24 15:59 ` Dominick Grift
0 siblings, 1 reply; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-24 15:56 UTC (permalink / raw)
To: refpolicy
Hello Dominick !
On Mon, 24/01/2011 at 16.01 +0100, Dominick Grift wrote:
> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
> > Hello again !
> >
> > I am resubmitting the changes that I proposed a few days ago for the
> > latest reference policy. There are a few additions and now the patch has
> > been split into a set of 19 logical patches.
>
> I did a quick review of your policy and commented inline. I think most
> of it is probably not acceptable at this point unfortunately.
Yes, I have started to look at your comments. Of course they are all
good points that you have made and that need to be changed.
But after those issues will have been fixed, what else would prevent the
patch from being committed ?
> It may be beneficial to get even more familiar with reference policy and
> the concepts/security goals it uses.
>
> You may also find my latest screencast called: introduction to policy
> writing, inspiring and hopefully informative:
>
> http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
I will have a look at it. Thanks again !
> > Regards,
> >
> > Guido Trentalancia
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-24 15:56 ` Guido Trentalancia
@ 2011-01-24 15:59 ` Dominick Grift
2011-01-24 21:01 ` Guido Trentalancia
0 siblings, 1 reply; 13+ messages in thread
From: Dominick Grift @ 2011-01-24 15:59 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
> Hello Dominick !
>
> On Mon, 24/01/2011 at 16.01 +0100, Dominick Grift wrote:
>> On 01/24/2011 01:43 AM, Guido Trentalancia wrote:
>>> Hello again !
>>>
>>> I am resubmitting the changes that I proposed a few days ago for the
>>> latest reference policy. There are a few additions and now the patch has
>>> been split into a set of 19 logical patches.
>>
>> I did a quick review of your policy and commented inline. I think most
>> of it is probably not acceptable at this point unfortunately.
>
> Yes, I have started to look at your comments. Of course they are all
> good points that you have made and that need to be changed.
>
> But after those issues will have been fixed, what else would prevent the
> patch from being committed ?
For example the way you deal with dbus chat, is not the way refpolicy
usually deas with it.
Where you have dbus_*_send interfaces that only go one way, refpolicy
uses dbus_*_chat interfaces that are bi-directional.
This is because if some process send a message and is allowed that, then
one can be sure that the receiving party will want to reply to that
message and that you will want to allow that reply (why else would you
have allowed the initial party to send a message in the first place?
>
>> It may be beneficial to get even more familiar with reference policy and
>> the concepts/security goals it uses.
>>
>> You may also find my latest screencast called: introduction to policy
>> writing, inspiring and hopefully informative:
>>
>> http://selinux-mac.blogspot.com/2011/01/yet-another-step-by-step-introduction.html
>
> I will have a look at it. Thanks again !
>
>>> Regards,
>>>
>>> Guido Trentalancia
>
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk09ofMACgkQMlxVo39jgT9rUwCeMlrUdoibLRXZDSxj2x+2ro3f
BQcAoM1XAUqXzgT8gDhkPJ7hDGhK2wZq
=rHvp
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-24 15:59 ` Dominick Grift
@ 2011-01-24 21:01 ` Guido Trentalancia
2011-01-24 21:22 ` Dominick Grift
0 siblings, 1 reply; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-24 21:01 UTC (permalink / raw)
To: refpolicy
Hello Dominick,
thanks for your reply !
On Mon, 24/01/2011 at 16.59 +0100, Dominick Grift wrote:
> On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
> >> I did a quick review of your policy and commented inline. I think most
> >> of it is probably not acceptable at this point unfortunately.
> >
> > Yes, I have started to look at your comments. Of course they are all
> > good points that you have made and that need to be changed.
> >
> > But after those issues will have been fixed, what else would prevent the
> > patch from being committed ?
>
> For example the way you deal with dbus chat, is not the way refpolicy
> usually deas with it.
Yes, I know.
> Where you have dbus_*_send interfaces that only go one way, refpolicy
> uses dbus_*_chat interfaces that are bi-directional.
>
> This is because if some process send a message and is allowed that, then
> one can be sure that the receiving party will want to reply to that
> message and that you will want to allow that reply (why else would you
> have allowed the initial party to send a message in the first place?
This is one thing I definitely not agree with. The way it's implemented
in the patch is better in my opinion. It is more flexible and it is more
in line with the aims of a reference policy.
One should not assume anything. Permissions to send_msg should be given
to each module separately only for what concerns that module (and not
the other party which might eventually be involved in a "chat"). A chat
is a concept too advanced for a reference policy. The policy should just
grant permissions for a module to send out something. It should not even
know that a "chat" is having place.
Of course, this is my point of view. If it necessarily needs to be the
other way to get committed, it can still be changed but I would
certainly do things differently on my side.
There are many changes that you propose. Apart from this latest one
(which is somewhat also mentioned in [2/19]), I am in perfect agreement
with what you say (well, to be honest I still need to look more
carefully at the feasibility of [5/19], [6/19], [8/19] and [13/19] but
there shouldn't be any problem as long as it is feasible).
Because there are many changes to carry out, I would prepare new patches
only if it is then worth committing them... Nobody else has commented
anything. I still think it's really worth applying these changes to the
reference policy (or otherwise it seems that basic functionality of a
generic system is not being guaranteed) !
I would really need to know before I proceed...
Regards,
Guido
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-24 21:01 ` Guido Trentalancia
@ 2011-01-24 21:22 ` Dominick Grift
0 siblings, 0 replies; 13+ messages in thread
From: Dominick Grift @ 2011-01-24 21:22 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 01/24/2011 10:01 PM, Guido Trentalancia wrote:
> Hello Dominick,
>
> thanks for your reply !
>
> On Mon, 24/01/2011 at 16.59 +0100, Dominick Grift wrote:
>> On 01/24/2011 04:56 PM, Guido Trentalancia wrote:
>>>> I did a quick review of your policy and commented inline. I think most
>>>> of it is probably not acceptable at this point unfortunately.
>>>
>>> Yes, I have started to look at your comments. Of course they are all
>>> good points that you have made and that need to be changed.
>>>
>>> But after those issues will have been fixed, what else would prevent the
>>> patch from being committed ?
>>
>> For example the way you deal with dbus chat, is not the way refpolicy
>> usually deas with it.
>
> Yes, I know.
>
>> Where you have dbus_*_send interfaces that only go one way, refpolicy
>> uses dbus_*_chat interfaces that are bi-directional.
>>
>> This is because if some process send a message and is allowed that, then
>> one can be sure that the receiving party will want to reply to that
>> message and that you will want to allow that reply (why else would you
>> have allowed the initial party to send a message in the first place?
>
> This is one thing I definitely not agree with. The way it's implemented
> in the patch is better in my opinion. It is more flexible and it is more
> in line with the aims of a reference policy.
Well, i am not sure about it. Security is a trade off between security
and usability. Ask your self does this added complexity of yours really
add valuable security? Are there any cases where one party sends a
message without getting a reply?
> One should not assume anything. Permissions to send_msg should be given
> to each module separately only for what concerns that module (and not
> the other party which might eventually be involved in a "chat"). A chat
> is a concept too advanced for a reference policy. The policy should just
> grant permissions for a module to send out something. It should not even
> know that a "chat" is having place.
>
> Of course, this is my point of view. If it necessarily needs to be the
> other way to get committed, it can still be changed but I would
> certainly do things differently on my side.
i am just an humble hobbyist with an opinion. I to would be interested
to hear others (especially people with authority) opinion on it. But
from experience i can tell you that it is almost if not always a chat thing.
>
> There are many changes that you propose. Apart from this latest one
> (which is somewhat also mentioned in [2/19]), I am in perfect agreement
> with what you say (well, to be honest I still need to look more
> carefully at the feasibility of [5/19], [6/19], [8/19] and [13/19] but
> there shouldn't be any problem as long as it is feasible).
> Because there are many changes to carry out, I would prepare new patches
> only if it is then worth committing them... Nobody else has commented
> anything. I still think it's really worth applying these changes to the
> reference policy (or otherwise it seems that basic functionality of a
> generic system is not being guaranteed) !
>
My advice is that you send small patches for each functionality and
explain why its needed in as much detail as possible. ofcourse you
should make sure you apply style rules and also make sure you compare
your changes with similar policy in refpolicy to see if your change
complies with refpolicy design. (e.g. the decisions refpolicy made with
regard to how particular issue should be handled)
I have proposed many patches to refpolicy. Several had many revision and
eventually were not accepted. It is in my view not easy to maintain an
upstream policy because there are many things to take into account
before you can accept a patch. That also means that the submitter has to
know alot of properties of refpolicy.
Else the maintainer spends all his time reviewing patches and explaining
people about these properties over and over again.
So before you submit, double... triple check your patches.
The first time one submit a patch that has mistakes is not a big deal,
the second time i guess neither. But one sends many patches that keep
having issues and the maintainer has to review them all, then i can
imagine that after a while the maintainer is not so eager anymore to
review it...
So the point of all this is. Best to spend a little more time getting
familair with the properties of the policy, and be confident that any
patch you submit has a high chance of getting accepted. So verify style,
properties etc.
This also to save yourself some frustration.
Again, though, i am just an hobbyist. I have no authority and i am just
trying to help.
> I would really need to know before I proceed...
>
> Regards,
>
> Guido
>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.16 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/
iEYEARECAAYFAk097bAACgkQMlxVo39jgT+LZgCePiXR6U4rWrMR3EDuQKwDLuyz
lEkAniIuzEAbNKP505VgfIEwQ5NoJTWH
=bsId
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
[not found] ` <4D471319.2000907@tresys.com>
@ 2011-01-31 21:18 ` Guido Trentalancia
2011-02-02 23:52 ` Martin Orr
0 siblings, 1 reply; 13+ messages in thread
From: Guido Trentalancia @ 2011-01-31 21:18 UTC (permalink / raw)
To: refpolicy
Welcome back Christopher and thanks for your kind message of
acknowledgement.
On Mon, 31/01/2011 at 14.52 -0500, Christopher J. PeBenito wrote:
> On 1/23/2011 7:43 PM, Guido Trentalancia wrote:
> I didn't look at all of the patches in deep detail, as Dominick gave you
> some excellent feedback while I was gone last week.
Yes, Dominick is providing substantial contribution to the work being
discussed in the form of excellent feedback and very valuable
suggestions.
> One thing I want to clarify for each of the actual patches you need:
>
> * a better subject: "patch set to update the git reference policy" isn't
> very informative.
Then, it would probably be impossible to submit a patch set at all. We
will just have many individual, separate patches. Because the whole
patch set aims to tackle very different issues in many different places
that it would probably be impossible to summarize everything in the
subject.
> * a detailed description of what the patch does.
Sure. It will be done.
> This will help facilitate review of the patches, and will help us
> understand the details.
In general, the set of patches is the result of testing refpolicy on a
very recent generic Linux installation. It aims to fix generic issues
with a few essential modules while trying to use the latest refpolicy on
a recent unbranded Linux installation.
There is a particular issue that is awaiting your direction. Could you
please have a look at the dbus_chat/dbus_send (bi-directional versus
uni-directional "send_msg" permission in the context of DBus). For
example, message thread [8/19] timestamped Thu 27 Jan 2011 01:37:12
+0100, Thu 27 Jan 2011 10:16:25 +0100.
Another very interesting issue is in the same thread [8/19] with
timestamp Fri 28 Jan 2011 18:01:43 +0100 (xdg configuration files, both
of us were trying to get some consensus on the need to have a new
label).
Yet another interesting issue is again in thread [8/19] with timestamp
Sat 29 Jan 2011 09:31:33 +0100 (need for a new module to accommodate
system-tools-backends and inconclusive speculations on optional_policy
expansion).
Kind regards,
Guido
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-01-31 21:18 ` Guido Trentalancia
@ 2011-02-02 23:52 ` Martin Orr
2011-02-03 0:04 ` Guido Trentalancia
0 siblings, 1 reply; 13+ messages in thread
From: Martin Orr @ 2011-02-02 23:52 UTC (permalink / raw)
To: refpolicy
On Mon 31 Jan 21:18:57 2011, Guido Trentalancia wrote:
> On Mon, 31/01/2011 at 14.52 -0500, Christopher J. PeBenito wrote:
>> One thing I want to clarify for each of the actual patches you need:
>>
>> * a better subject: "patch set to update the git reference policy" isn't
>> very informative.
>
> Then, it would probably be impossible to submit a patch set at all. We
> will just have many individual, separate patches. Because the whole
> patch set aims to tackle very different issues in many different places
> that it would probably be impossible to summarize everything in the
> subject.
I think this is the point: because you deal with many different
issues, you do not really have a "set". Chris can decide
independently for each of the patches whether to apply it or not, and
that will (usually) not break and will cause a measurable improvement
in refpolicy.
The subject of each patch should be a short summary of what that
individual patch does, for example "dbus file labelling" for patch 1
and "Allow dbus messages" for patch 2. If you can't give such a label
to a particular patch, that might mean that you have divided up your
patches badly.
>> * a detailed description of what the patch does.
>
> Sure. It will be done.
>
>> This will help facilitate review of the patches, and will help us
>> understand the details.
>
> In general, the set of patches is the result of testing refpolicy on a
> very recent generic Linux installation. It aims to fix generic issues
> with a few essential modules while trying to use the latest refpolicy on
> a recent unbranded Linux installation.
--
Martin Orr
^ permalink raw reply [flat|nested] 13+ messages in thread
* [refpolicy] [PATCH/RFC 0/19]: patch set to update the git reference policy
2011-02-02 23:52 ` Martin Orr
@ 2011-02-03 0:04 ` Guido Trentalancia
0 siblings, 0 replies; 13+ messages in thread
From: Guido Trentalancia @ 2011-02-03 0:04 UTC (permalink / raw)
To: refpolicy
Hello Martin !
Thanks very much for your interest in this attempt to feed back some
possible improvements to the reference policy based upon testing on a
generic recent installation.
On Wed, 02/02/2011 at 23.52 +0000, Martin Orr wrote:
> On Mon 31 Jan 21:18:57 2011, Guido Trentalancia wrote:
> > On Mon, 31/01/2011 at 14.52 -0500, Christopher J. PeBenito wrote:
> >> One thing I want to clarify for each of the actual patches you need:
> >>
> >> * a better subject: "patch set to update the git reference policy" isn't
> >> very informative.
> >
> > Then, it would probably be impossible to submit a patch set at all. We
> > will just have many individual, separate patches. Because the whole
> > patch set aims to tackle very different issues in many different places
> > that it would probably be impossible to summarize everything in the
> > subject.
>
> I think this is the point: because you deal with many different
> issues, you do not really have a "set". Chris can decide
> independently for each of the patches whether to apply it or not, and
> that will (usually) not break and will cause a measurable improvement
> in refpolicy.
I will do my best. However, I am not entirely sure (and cannot
guarantee) that applying only a subset of the patches will lead to
desirable results. In general, they will be made as much independent
from each other as technically possible.
> The subject of each patch should be a short summary of what that
> individual patch does, for example "dbus file labelling" for patch 1
> and "Allow dbus messages" for patch 2. If you can't give such a label
> to a particular patch, that might mean that you have divided up your
> patches badly.
Yes, I will re-submit individual, disjoint patches so that each message
has a different subject. A short textual description at the beginning of
each message will summarize the aims of the patch that follows.
> >> * a detailed description of what the patch does.
> >
> > Sure. It will be done.
> >
> >> This will help facilitate review of the patches, and will help us
> >> understand the details.
> >
> > In general, the set of patches is the result of testing refpolicy on a
> > very recent generic Linux installation. It aims to fix generic issues
> > with a few essential modules while trying to use the latest refpolicy on
> > a recent unbranded Linux installation.
In general, it's just several tiny adjustments to some permissions in a
bunch of modules that I have tested. Something else might come at a
later time if I manage to test other modules or write new modules.
In the meanwhile, should you have other comments or questions to raise,
please do not hesitate to contact me.
Kind regards,
Guido
^ permalink raw reply [flat|nested] 13+ messages in thread
end of thread, other threads:[~2011-02-03 0:04 UTC | newest]
Thread overview: 13+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2011-01-19 0:40 [refpolicy] RFC: patch to update git reference policy Guido Trentalancia
2011-01-20 13:18 ` Christopher J. PeBenito
2011-01-20 17:32 ` Guido Trentalancia
2011-01-21 12:37 ` Christopher J. PeBenito
2011-01-24 0:43 ` [refpolicy] [PATCH/RFC 0/19]: patch set to update the " Guido Trentalancia
2011-01-24 15:01 ` Dominick Grift
2011-01-24 15:56 ` Guido Trentalancia
2011-01-24 15:59 ` Dominick Grift
2011-01-24 21:01 ` Guido Trentalancia
2011-01-24 21:22 ` Dominick Grift
[not found] ` <4D471319.2000907@tresys.com>
2011-01-31 21:18 ` Guido Trentalancia
2011-02-02 23:52 ` Martin Orr
2011-02-03 0:04 ` Guido Trentalancia
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.