* [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class
@ 2017-11-02 17:30 Jason Zaman
2017-11-02 17:30 ` [refpolicy] [PATCH 2/3] Add key interfaces and perms Jason Zaman
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Jason Zaman @ 2017-11-02 17:30 UTC (permalink / raw)
To: refpolicy
Taken from fedoras policy
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
---
policy/mcs | 3 +++
policy/mls | 8 ++++++++
policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
policy/modules/kernel/mls.te | 3 +++
4 files changed, 55 insertions(+)
diff --git a/policy/mcs b/policy/mcs
index 4d030112..94319570 100644
--- a/policy/mcs
+++ b/policy/mcs
@@ -123,6 +123,9 @@ mlsconstrain process { signal }
mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
(( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+mlsconstrain key { create link read search setattr view write }
+ (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
+
#
# MCS policy for SELinux-enabled databases
#
diff --git a/policy/mls b/policy/mls
index 69ca7263..2dadd205 100644
--- a/policy/mls
+++ b/policy/mls
@@ -281,6 +281,14 @@ mlsconstrain msg send
# { ipc sem msgq shm } associate
+#
+# MLS policy for the key class
+#
+
+mlsconstrain key { create link read search setattr view write }
+ (( l1 eq l2 ) or
+ (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
+ ( t1 == mlskeywrite ));
#
diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
index 3929ffc4..b09c0a5a 100644
--- a/policy/modules/kernel/mls.if
+++ b/policy/modules/kernel/mls.if
@@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
########################################
## <summary>
+## Make specified domain MLS trusted
+## for writing to keys up to
+## its clearance.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_to_clearance',`
+ gen_require(`
+ attribute mlskeywritetoclr;
+ ')
+
+ typeattribute $1 mlskeywritetoclr;
+')
+
+########################################
+## <summary>
+## Make specified domain MLS trusted
+## for writing to keys at all levels.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`mls_key_write_all_levels',`
+ gen_require(`
+ attribute mlskeywrite;
+ ')
+
+ typeattribute $1 mlskeywrite;
+')
+
+########################################
+## <summary>
## Allow the specified domain to do a MLS
## range transition that changes
## the current level.
diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
index 15e50a36..e879ddd3 100644
--- a/policy/modules/kernel/mls.te
+++ b/policy/modules/kernel/mls.te
@@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
attribute mlsipcwrite;
attribute mlsipcwritetoclr;
+attribute mlskeywrite;
+attribute mlskeywritetoclr;
+
attribute mlsprocread;
attribute mlsprocreadtoclr;
attribute mlsprocwrite;
--
2.13.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/3] Add key interfaces and perms
2017-11-02 17:30 [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Jason Zaman
@ 2017-11-02 17:30 ` Jason Zaman
2017-11-04 18:09 ` Chris PeBenito
2017-11-02 17:30 ` [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect Jason Zaman
2017-11-04 18:09 ` [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Chris PeBenito
2 siblings, 1 reply; 6+ messages in thread
From: Jason Zaman @ 2017-11-02 17:30 UTC (permalink / raw)
To: refpolicy
Mostly taken from the fedora rawhide policy
---
policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
policy/modules/services/ssh.if | 1 +
policy/modules/services/ssh.te | 1 +
policy/modules/services/xserver.if | 18 +++++++++
policy/modules/services/xserver.te | 1 +
policy/modules/system/authlogin.te | 2 +
policy/modules/system/locallogin.te | 1 +
policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
8 files changed, 133 insertions(+)
diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
index 25467d0a..843b26e3 100644
--- a/policy/modules/kernel/kernel.if
+++ b/policy/modules/kernel/kernel.if
@@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
########################################
## <summary>
+## Allow view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`kernel_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ allow $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
+## dontaudit view the kernel key ring.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to not audit.
+## </summary>
+## </param>
+#
+interface(`kernel_dontaudit_view_key',`
+ gen_require(`
+ type kernel_t;
+ ')
+
+ dontaudit $1 kernel_t:key view;
+')
+
+########################################
+## <summary>
## Allows caller to read the ring buffer.
## </summary>
## <param name="domain">
diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
index aa906680..4f20137a 100644
--- a/policy/modules/services/ssh.if
+++ b/policy/modules/services/ssh.if
@@ -338,6 +338,7 @@ template(`ssh_role_template',`
# for rsync
allow ssh_t $3:unix_stream_socket rw_socket_perms;
allow ssh_t $3:unix_stream_socket connectto;
+ allow ssh_t $3:key manage_key_perms;
# user can manage the keys and config
manage_files_pattern($3, ssh_home_t, ssh_home_t)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index 5b939d0c..eaabdcd7 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow ssh_t self:fd use;
allow ssh_t self:fifo_file rw_fifo_file_perms;
+allow ssh_t self:key manage_key_perms;
allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
allow ssh_t self:shm create_shm_perms;
diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
index e0c5be82..e70046db 100644
--- a/policy/modules/services/xserver.if
+++ b/policy/modules/services/xserver.if
@@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
typeattribute $1 x_domain;
typeattribute $1 xserver_unconfined_type;
')
+
+########################################
+## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_rw_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key { read write setattr };
+')
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 758292be..ef56563c 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
kernel_read_kernel_sysctls(xdm_t)
kernel_read_net_sysctls(xdm_t)
kernel_read_network_state(xdm_t)
+kernel_view_key(xdm_t)
corecmd_exec_shell(xdm_t)
corecmd_exec_bin(xdm_t)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 11a8ec1c..0f4ee19f 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -419,6 +419,8 @@ optional_policy(`
# nsswitch_domain local policy
#
+allow nsswitch_domain self:key manage_key_perms;
+
files_list_var_lib(nsswitch_domain)
# read /etc/nsswitch.conf
diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
index 5a0c508f..269a61e0 100644
--- a/policy/modules/system/locallogin.te
+++ b/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
optional_policy(`
xserver_read_xdm_tmp_files(local_login_t)
xserver_rw_xdm_tmp_files(local_login_t)
+ xserver_rw_xdm_keys(local_login_t)
')
#################################
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 750bc722..efb31d0a 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
allow $1_t self:fd use;
+ allow $1_t self:key manage_key_perms;
allow $1_t self:fifo_file rw_fifo_file_perms;
allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
@@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
########################################
## <summary>
+## Read keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key read;
+')
+
+########################################
+## <summary>
+## Write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_write_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key write;
+')
+
+########################################
+## <summary>
+## Read and write keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_rw_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key { read view write };
+')
+
+########################################
+## <summary>
## Create keys for all user domains.
## </summary>
## <param name="domain">
@@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
########################################
## <summary>
+## Manage keys for all user domains.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_all_users_keys',`
+ gen_require(`
+ attribute userdomain;
+ ')
+
+ allow $1 userdomain:key manage_key_perms;
+')
+
+########################################
+## <summary>
## Send a dbus message to all user domains.
## </summary>
## <param name="domain">
--
2.13.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect
2017-11-02 17:30 [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Jason Zaman
2017-11-02 17:30 ` [refpolicy] [PATCH 2/3] Add key interfaces and perms Jason Zaman
@ 2017-11-02 17:30 ` Jason Zaman
2017-11-04 18:10 ` Chris PeBenito
2017-11-04 18:09 ` [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Chris PeBenito
2 siblings, 1 reply; 6+ messages in thread
From: Jason Zaman @ 2017-11-02 17:30 UTC (permalink / raw)
To: refpolicy
kernel AVC:
* Starting gssproxy ...
Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
* start-stop-daemon: failed to start `gssproxy'
type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
---
policy/modules/kernel/kernel.te | 4 ++++
policy/modules/roles/sysadm.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 0fc74648..22d1ebaf 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -423,6 +423,10 @@ optional_policy(`
rpc_tcp_rw_nfs_sockets(kernel_t)
rpc_udp_rw_nfs_sockets(kernel_t)
+ optional_policy(`
+ gssproxy_stream_connect(kernel_t)
+ ')
+
tunable_policy(`nfs_export_all_ro',`
fs_getattr_noxattr_fs(kernel_t)
fs_list_noxattr_fs(kernel_t)
diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
index 93c9ee5f..d25dd34b 100644
--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -455,6 +455,10 @@ optional_policy(`
')
optional_policy(`
+ gssproxy_admin(sysadm_t)
+')
+
+optional_policy(`
hadoop_role(sysadm_r, sysadm_t)
')
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index efb31d0a..49eff3a6 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
')
optional_policy(`
+ gssproxy_stream_connect($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')
--
2.13.6
^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class
2017-11-02 17:30 [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Jason Zaman
2017-11-02 17:30 ` [refpolicy] [PATCH 2/3] Add key interfaces and perms Jason Zaman
2017-11-02 17:30 ` [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect Jason Zaman
@ 2017-11-04 18:09 ` Chris PeBenito
2 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2017-11-04 18:09 UTC (permalink / raw)
To: refpolicy
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Taken from fedoras policy
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mls
> https://github.com/fedora-selinux/selinux-policy/blob/rawhide-base/policy/mcs
> ---
> policy/mcs | 3 +++
> policy/mls | 8 ++++++++
> policy/modules/kernel/mls.if | 41 +++++++++++++++++++++++++++++++++++++++++
> policy/modules/kernel/mls.te | 3 +++
> 4 files changed, 55 insertions(+)
>
> diff --git a/policy/mcs b/policy/mcs
> index 4d030112..94319570 100644
> --- a/policy/mcs
> +++ b/policy/mcs
> @@ -123,6 +123,9 @@ mlsconstrain process { signal }
> mlsconstrain { tcp_socket udp_socket rawip_socket } node_bind
> (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
>
> +mlsconstrain key { create link read search setattr view write }
> + (( h1 dom h2 ) or ( t1 != mcs_constrained_type ));
> +
> #
> # MCS policy for SELinux-enabled databases
> #
> diff --git a/policy/mls b/policy/mls
> index 69ca7263..2dadd205 100644
> --- a/policy/mls
> +++ b/policy/mls
> @@ -281,6 +281,14 @@ mlsconstrain msg send
> # { ipc sem msgq shm } associate
>
>
> +#
> +# MLS policy for the key class
> +#
> +
> +mlsconstrain key { create link read search setattr view write }
> + (( l1 eq l2 ) or
> + (( t1 == mlskeywritetoclr ) and ( h1 dom l2 ) and ( l1 domby l2 )) or
> + ( t1 == mlskeywrite ));
>
>
> #
> diff --git a/policy/modules/kernel/mls.if b/policy/modules/kernel/mls.if
> index 3929ffc4..b09c0a5a 100644
> --- a/policy/modules/kernel/mls.if
> +++ b/policy/modules/kernel/mls.if
> @@ -426,6 +426,47 @@ interface(`mls_sysvipc_write_all_levels',`
>
> ########################################
> ## <summary>
> +## Make specified domain MLS trusted
> +## for writing to keys up to
> +## its clearance.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_to_clearance',`
> + gen_require(`
> + attribute mlskeywritetoclr;
> + ')
> +
> + typeattribute $1 mlskeywritetoclr;
> +')
> +
> +########################################
> +## <summary>
> +## Make specified domain MLS trusted
> +## for writing to keys at all levels.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`mls_key_write_all_levels',`
> + gen_require(`
> + attribute mlskeywrite;
> + ')
> +
> + typeattribute $1 mlskeywrite;
> +')
> +
> +########################################
> +## <summary>
> ## Allow the specified domain to do a MLS
> ## range transition that changes
> ## the current level.
> diff --git a/policy/modules/kernel/mls.te b/policy/modules/kernel/mls.te
> index 15e50a36..e879ddd3 100644
> --- a/policy/modules/kernel/mls.te
> +++ b/policy/modules/kernel/mls.te
> @@ -30,6 +30,9 @@ attribute mlsipcreadtoclr;
> attribute mlsipcwrite;
> attribute mlsipcwritetoclr;
>
> +attribute mlskeywrite;
> +attribute mlskeywritetoclr;
> +
> attribute mlsprocread;
> attribute mlsprocreadtoclr;
> attribute mlsprocwrite;
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/3] Add key interfaces and perms
2017-11-02 17:30 ` [refpolicy] [PATCH 2/3] Add key interfaces and perms Jason Zaman
@ 2017-11-04 18:09 ` Chris PeBenito
0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2017-11-04 18:09 UTC (permalink / raw)
To: refpolicy
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> Mostly taken from the fedora rawhide policy
> ---
> policy/modules/kernel/kernel.if | 36 ++++++++++++++++++
> policy/modules/services/ssh.if | 1 +
> policy/modules/services/ssh.te | 1 +
> policy/modules/services/xserver.if | 18 +++++++++
> policy/modules/services/xserver.te | 1 +
> policy/modules/system/authlogin.te | 2 +
> policy/modules/system/locallogin.te | 1 +
> policy/modules/system/userdomain.if | 73 +++++++++++++++++++++++++++++++++++++
> 8 files changed, 133 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.if b/policy/modules/kernel/kernel.if
> index 25467d0a..843b26e3 100644
> --- a/policy/modules/kernel/kernel.if
> +++ b/policy/modules/kernel/kernel.if
> @@ -457,6 +457,42 @@ interface(`kernel_dontaudit_link_key',`
>
> ########################################
> ## <summary>
> +## Allow view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + allow $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> +## dontaudit view the kernel key ring.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to not audit.
> +## </summary>
> +## </param>
> +#
> +interface(`kernel_dontaudit_view_key',`
> + gen_require(`
> + type kernel_t;
> + ')
> +
> + dontaudit $1 kernel_t:key view;
> +')
> +
> +########################################
> +## <summary>
> ## Allows caller to read the ring buffer.
> ## </summary>
> ## <param name="domain">
> diff --git a/policy/modules/services/ssh.if b/policy/modules/services/ssh.if
> index aa906680..4f20137a 100644
> --- a/policy/modules/services/ssh.if
> +++ b/policy/modules/services/ssh.if
> @@ -338,6 +338,7 @@ template(`ssh_role_template',`
> # for rsync
> allow ssh_t $3:unix_stream_socket rw_socket_perms;
> allow ssh_t $3:unix_stream_socket connectto;
> + allow ssh_t $3:key manage_key_perms;
>
> # user can manage the keys and config
> manage_files_pattern($3, ssh_home_t, ssh_home_t)
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index 5b939d0c..eaabdcd7 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -103,6 +103,7 @@ allow ssh_t self:capability { dac_override dac_read_search setgid setuid };
> allow ssh_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow ssh_t self:fd use;
> allow ssh_t self:fifo_file rw_fifo_file_perms;
> +allow ssh_t self:key manage_key_perms;
> allow ssh_t self:unix_dgram_socket { create_socket_perms sendto };
> allow ssh_t self:unix_stream_socket { create_stream_socket_perms connectto };
> allow ssh_t self:shm create_shm_perms;
> diff --git a/policy/modules/services/xserver.if b/policy/modules/services/xserver.if
> index e0c5be82..e70046db 100644
> --- a/policy/modules/services/xserver.if
> +++ b/policy/modules/services/xserver.if
> @@ -1537,3 +1537,21 @@ interface(`xserver_unconfined',`
> typeattribute $1 x_domain;
> typeattribute $1 xserver_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`xserver_rw_xdm_keys',`
> + gen_require(`
> + type xdm_t;
> + ')
> +
> + allow $1 xdm_t:key { read write setattr };
> +')
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 758292be..ef56563c 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -396,6 +396,7 @@ kernel_read_system_state(xdm_t)
> kernel_read_kernel_sysctls(xdm_t)
> kernel_read_net_sysctls(xdm_t)
> kernel_read_network_state(xdm_t)
> +kernel_view_key(xdm_t)
>
> corecmd_exec_shell(xdm_t)
> corecmd_exec_bin(xdm_t)
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 11a8ec1c..0f4ee19f 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -419,6 +419,8 @@ optional_policy(`
> # nsswitch_domain local policy
> #
>
> +allow nsswitch_domain self:key manage_key_perms;
> +
> files_list_var_lib(nsswitch_domain)
>
> # read /etc/nsswitch.conf
> diff --git a/policy/modules/system/locallogin.te b/policy/modules/system/locallogin.te
> index 5a0c508f..269a61e0 100644
> --- a/policy/modules/system/locallogin.te
> +++ b/policy/modules/system/locallogin.te
> @@ -209,6 +209,7 @@ optional_policy(`
> optional_policy(`
> xserver_read_xdm_tmp_files(local_login_t)
> xserver_rw_xdm_tmp_files(local_login_t)
> + xserver_rw_xdm_keys(local_login_t)
> ')
>
> #################################
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 750bc722..efb31d0a 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -47,6 +47,7 @@ template(`userdom_base_user_template',`
>
> allow $1_t self:process { signal_perms getsched setsched share getpgid setpgid setcap getsession getattr };
> allow $1_t self:fd use;
> + allow $1_t self:key manage_key_perms;
> allow $1_t self:fifo_file rw_fifo_file_perms;
> allow $1_t self:unix_dgram_socket { create_socket_perms sendto };
> allow $1_t self:unix_stream_socket { create_stream_socket_perms connectto };
> @@ -4020,6 +4021,60 @@ interface(`userdom_sigchld_all_users',`
>
> ########################################
> ## <summary>
> +## Read keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_read_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key read;
> +')
> +
> +########################################
> +## <summary>
> +## Write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_write_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key write;
> +')
> +
> +########################################
> +## <summary>
> +## Read and write keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_rw_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key { read view write };
> +')
> +
> +########################################
> +## <summary>
> ## Create keys for all user domains.
> ## </summary>
> ## <param name="domain">
> @@ -4038,6 +4093,24 @@ interface(`userdom_create_all_users_keys',`
>
> ########################################
> ## <summary>
> +## Manage keys for all user domains.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_manage_all_users_keys',`
> + gen_require(`
> + attribute userdomain;
> + ')
> +
> + allow $1 userdomain:key manage_key_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Send a dbus message to all user domains.
> ## </summary>
> ## <param name="domain">
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect
2017-11-02 17:30 ` [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect Jason Zaman
@ 2017-11-04 18:10 ` Chris PeBenito
0 siblings, 0 replies; 6+ messages in thread
From: Chris PeBenito @ 2017-11-04 18:10 UTC (permalink / raw)
To: refpolicy
On 11/02/2017 01:30 PM, Jason Zaman wrote:
> kernel AVC:
> * Starting gssproxy ...
> Failed to write to /proc/net/rpc/use-gss-proxy: 13 (Permission denied)
> * start-stop-daemon: failed to start `gssproxy'
>
> type=AVC msg=audit(1490858215.578:386110): avc: denied { connectto } for pid=25447 comm="gssproxy" path="/run/gssproxy.sock" scontext=system_u:system_r:kernel_t:s0 tcontext=system_u:system_r:gssproxy_t:s0 tclass=unix_stream_socket permissive=0
> ---
> policy/modules/kernel/kernel.te | 4 ++++
> policy/modules/roles/sysadm.te | 4 ++++
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index 0fc74648..22d1ebaf 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -423,6 +423,10 @@ optional_policy(`
> rpc_tcp_rw_nfs_sockets(kernel_t)
> rpc_udp_rw_nfs_sockets(kernel_t)
>
> + optional_policy(`
> + gssproxy_stream_connect(kernel_t)
> + ')
> +
> tunable_policy(`nfs_export_all_ro',`
> fs_getattr_noxattr_fs(kernel_t)
> fs_list_noxattr_fs(kernel_t)
> diff --git a/policy/modules/roles/sysadm.te b/policy/modules/roles/sysadm.te
> index 93c9ee5f..d25dd34b 100644
> --- a/policy/modules/roles/sysadm.te
> +++ b/policy/modules/roles/sysadm.te
> @@ -455,6 +455,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gssproxy_admin(sysadm_t)
> +')
> +
> +optional_policy(`
> hadoop_role(sysadm_r, sysadm_t)
> ')
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index efb31d0a..49eff3a6 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -664,6 +664,10 @@ template(`userdom_common_user_template',`
> ')
>
> optional_policy(`
> + gssproxy_stream_connect($1_t)
> + ')
> +
> + optional_policy(`
> hwloc_exec_dhwd($1_t)
> hwloc_read_runtime_files($1_t)
> ')
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2017-11-04 18:10 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2017-11-02 17:30 [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Jason Zaman
2017-11-02 17:30 ` [refpolicy] [PATCH 2/3] Add key interfaces and perms Jason Zaman
2017-11-04 18:09 ` Chris PeBenito
2017-11-02 17:30 ` [refpolicy] [PATCH 3/3] gssproxy: Allow others to stream connect Jason Zaman
2017-11-04 18:10 ` Chris PeBenito
2017-11-04 18:09 ` [refpolicy] [PATCH 1/3] mls mcs: Add constraints for key class Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.