[refpolicy] Syntax fixes in contrib

[refpolicy] Syntax fixes in contrib

[Jason Zaman]

I was going through the policy and adding all the _admin interfaces to sysadm
in the gentoo policy and hit quite a number of syntax errors. They are mostly
just typos and missing types in gen_require.

The last two remove the _role interface to not be called from _admin since the
the _role is already called from in the role definitions and there is a
conflict if it gets called twice so removing it from the _admin interface
seemed reasonable. Commented them out and wrote a note above. Would it instead
be preferred if i just removed it completely?

-- Jason

[refpolicy] [PATCH 01/18] ccs: syntax errors in ccs_admin interface

[Jason Zaman]

---
 ccs.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/ccs.if b/ccs.if
index 5ded72d..bb17e0f 100644
--- a/ccs.if
+++ b/ccs.if
@@ -98,8 +98,8 @@ interface(`ccs_manage_config',`
 interface(`ccs_admin',`
 	gen_require(`
 		type ccs_t, ccs_initrc_exec_t, cluster_conf_t;
-		type ccs_var_lib_t_t, ccs_var_log_t;
-		type ccs_var_run_t, ccs_tmp_t;
+		type ccs_var_lib_t, ccs_var_log_t;
+		type ccs_var_run_t, ccs_tmp_t, ccs_conf_t;
 	')
 
 	allow $1 ccs_t:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 02/18] condor: syntax error in condor_admin

[Jason Zaman]

---
 condor.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/condor.if b/condor.if
index 881d92f..c80aaf5 100644
--- a/condor.if
+++ b/condor.if
@@ -58,7 +58,7 @@ template(`condor_domain_template',`
 interface(`condor_admin',`
 	gen_require(`
 		attribute condor_domain;
-		type condor_initrc_exec_config_t, condor_log_t;
+		type condor_initrc_exec_t, condor_log_t;
 		type condor_var_lib_t, condor_var_lock_t, condor_schedd_tmp_t;
 		type condor_var_run_t, condor_startd_tmp_t, condor_conf_t;
 	')
-- 
2.0.4

[refpolicy] [PATCH 03/18] distcc: syntax error in distcc_admin

[Jason Zaman]

---
 distcc.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/distcc.if b/distcc.if
index 24d8c74..473823d 100644
--- a/distcc.if
+++ b/distcc.if
@@ -20,7 +20,7 @@
 interface(`distcc_admin',`
 	gen_require(`
 		type distccd_t, distccd_t, distccd_log_t;
-		type disccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
+		type distccd_var_run_t, distccd_tmp_t, distccd_initrc_exec_t;
 	')
 
 	allow $1 distccd_t:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 04/18] ftp: syntax error in ftp_admin

[Jason Zaman]

---
 ftp.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/ftp.if b/ftp.if
index 4498143..65adda9 100644
--- a/ftp.if
+++ b/ftp.if
@@ -179,7 +179,7 @@ interface(`ftp_admin',`
 		type ftpd_keytab_t;
 	')
 
-	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd }:process { ptrace signal_perms };
+	allow $1 { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t }:process { ptrace signal_perms };
 	ps_process_pattern($1, { ftpd_t ftpdctl_t sftpd_t anon_sftpd_t })
 
 	init_labeled_script_domtrans($1, ftpd_initrc_exec_t)
-- 
2.0.4

[refpolicy] [PATCH 05/18] kerberos: syntax error in kerberos_admin

[Jason Zaman]

---
 kerberos.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/kerberos.if b/kerberos.if
index f6c00d8..77a5c49 100644
--- a/kerberos.if
+++ b/kerberos.if
@@ -490,8 +490,8 @@ interface(`kerberos_admin',`
 		type krb5kdc_var_run_t, krb5_host_rcache_t;
 	')
 
-	allow $1 { kadmind_t krb5kdc_t kpropd }:process { ptrace signal_perms };
-	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd })
+	allow $1 { kadmind_t krb5kdc_t kpropd_t }:process { ptrace signal_perms };
+	ps_process_pattern($1, { kadmind_t krb5kdc_t kpropd_t })
 
 	init_labeled_script_domtrans($1, kerberos_initrc_exec_t)
 	domain_system_change_exemption($1)
-- 
2.0.4

[refpolicy] [PATCH 06/18] kismet: syntax error in kismet_admin

[Jason Zaman]

---
 kismet.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/kismet.if b/kismet.if
index aa2a337..f20de6e 100644
--- a/kismet.if
+++ b/kismet.if
@@ -283,7 +283,7 @@ interface(`kismet_manage_log',`
 interface(`kismet_admin',`
 	gen_require(`
 		type kismet_t, kismet_var_lib_t, kismet_var_run_t;
-		type kismet_log_t, kismet_tmp_t;
+		type kismet_log_t, kismet_tmp_t, kismet_initrc_exec_t;
 	')
 
 	init_labeled_script_domtrans($1, kismet_initrc_exec_t)
-- 
2.0.4

[refpolicy] [PATCH 07/18] nut: syntax error in nut_admin

[Jason Zaman]

---
 nut.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/nut.if b/nut.if
index 57c0161..c606ae6 100644
--- a/nut.if
+++ b/nut.if
@@ -24,7 +24,7 @@ interface(`nut_admin',`
 	')
 
 	allow $1 nut_domain:process { ptrace signal_perms };
-	ps_process_pattern($1, nut_domain_t)
+	ps_process_pattern($1, nut_domain)
 
 	init_labeled_script_domtrans($1, nut_initrc_exec_t)
 	domain_system_change_exemption($1)
-- 
2.0.4

[refpolicy] [PATCH 08/18] prelude: syntax error in prelude_admin

[Jason Zaman]

---
 prelude.if | 1 +
 1 file changed, 1 insertion(+)

diff --git a/prelude.if b/prelude.if
index c83a838..db8f510 100644
--- a/prelude.if
+++ b/prelude.if
@@ -120,6 +120,7 @@ interface(`prelude_admin',`
 		type prelude_var_run_t, prelude_var_lib_t, prelude_log_t;
 		type prelude_audisp_t, prelude_audisp_var_run_t;
 		type prelude_initrc_exec_t, prelude_lml_t, prelude_lml_tmp_t;
+		type prelude_correlator_t;
 	')
 
 	allow $1 { prelude_t prelude_audisp_t prelude_lml_t prelude_correlator_t }:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 09/18] psad: syntax error in psad_admin

[Jason Zaman]

---
 psad.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/psad.if b/psad.if
index d4dcf78..cdc83d2 100644
--- a/psad.if
+++ b/psad.if
@@ -236,7 +236,7 @@ interface(`psad_admin',`
 	gen_require(`
 		type psad_t, psad_var_run_t, psad_var_log_t;
 		type psad_initrc_exec_t, psad_var_lib_t;
-		type psad_tmp_t;
+		type psad_tmp_t, psad_etc_t;
 	')
 
 	allow $1 psad_t:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 10/18] quota: syntax error in quota_admin

[Jason Zaman]

---
 quota.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/quota.if b/quota.if
index da64218..68611e3 100644
--- a/quota.if
+++ b/quota.if
@@ -190,7 +190,7 @@ interface(`quota_admin',`
 	allow $2 system_r;
 
 	files_list_all($1)
-	admin_pattern($1, { quota_db_t quota_flag quota_nld_var_run_t })
+	admin_pattern($1, { quota_db_t quota_flag_t quota_nld_var_run_t })
 
 	quota_run($1, $2)
 ')
-- 
2.0.4

[refpolicy] [PATCH 11/18] rpcbind: syntax error in rpcbind_admin

[Jason Zaman]

---
 rpcbind.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/rpcbind.if b/rpcbind.if
index 3b5e9ee..1a1cb99 100644
--- a/rpcbind.if
+++ b/rpcbind.if
@@ -160,7 +160,7 @@ interface(`rpcbind_admin',`
 	allow $1 rpcbind_t:process { ptrace signal_perms };
 	ps_process_pattern($1, rpcbind_t)
 
-	init_labeled_script_domtrans($1, rbcbind_initrc_exec_t)
+	init_labeled_script_domtrans($1, rpcbind_initrc_exec_t)
 	domain_system_change_exemption($1)
 	role_transition $2 rpcbind_initrc_exec_t system_r;
 	allow $2 system_r;
-- 
2.0.4

[refpolicy] [PATCH 12/18] rpm: syntax error in rpm_admin

[Jason Zaman]

---
 rpm.if | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/rpm.if b/rpm.if
index ef3b225..fc9c8d8 100644
--- a/rpm.if
+++ b/rpm.if
@@ -626,8 +626,8 @@ interface(`rpm_pid_filetrans_rpm_pid',`
 interface(`rpm_admin',`
 	gen_require(`
 		type rpm_t, rpm_script_t, rpm_initrc_exec_t;
-		type rpm_var_cache_t, rpm_var_lib_t, rpm_lock_t;
-		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t;
+		type rpm_cache_t, rpm_var_lib_t, rpm_lock_t;
+		type rpm_log_t, rpm_tmpfs_t, rpm_tmp_t, rpm_var_run_t;
 		type rpm_script_tmp_t, rpm_script_tmpfs_t, rpm_file_t;
 	')
 
-- 
2.0.4

[refpolicy] [PATCH 13/18] systemtap: syntax error in stapserver_admin

[Jason Zaman]

---
 systemtap.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/systemtap.if b/systemtap.if
index c755e2d..d60a21e 100644
--- a/systemtap.if
+++ b/systemtap.if
@@ -20,7 +20,7 @@
 interface(`stapserver_admin',`
 	gen_require(`
 		type stapserver_t, stapserver_conf_t, stapserver_log_t;
-		type stap_server_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
+		type stapserver_var_run_t, stapserver_initrc_exec_t, stapserver_var_lib_t;
 	')
 
 	allow $1 stapserver_t:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 14/18] svnserve: syntax error in svnserve_admin

[Jason Zaman]

---
 svnserve.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/svnserve.if b/svnserve.if
index 2ac91b6..5cd46e9 100644
--- a/svnserve.if
+++ b/svnserve.if
@@ -31,5 +31,5 @@ interface(`svnserve_admin',`
 	allow $2 system_r;
 
 	files_search_pids($1)
-	admin_pattern($1, httpd_var_run_t)
+	admin_pattern($1, svnserve_var_run_t)
 ')
-- 
2.0.4

[refpolicy] [PATCH 15/18] uptime: syntax error in uptime_admin

[Jason Zaman]

---
 uptime.if | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/uptime.if b/uptime.if
index 01a3234..19f4724 100644
--- a/uptime.if
+++ b/uptime.if
@@ -19,7 +19,7 @@
 #
 interface(`uptime_admin',`
 	gen_require(`
-		type uptimed_t, uptimed_initrc_exec_t. uptimed_etc_t;
+		type uptimed_t, uptimed_initrc_exec_t, uptimed_etc_t;
 		type uptimed_spool_t, uptimed_var_run_t;
 	')
 
-- 
2.0.4

[refpolicy] [PATCH 16/18] zabbix: syntax error in zabbix_admin

[Jason Zaman]

---
 zabbix.if | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/zabbix.if b/zabbix.if
index dd63de0..29d87d7 100644
--- a/zabbix.if
+++ b/zabbix.if
@@ -138,9 +138,9 @@ interface(`zabbix_agent_tcp_connect',`
 #
 interface(`zabbix_admin',`
 	gen_require(`
-		type zabbix_t, zabbix_log_t, zabbix_var_run_t;
-		type zabbix_initrc_exec_t, zabbit_agent_initrc_exec_t, zabbix_tmp_t;
-		type zabbit_tmpfs_t;
+		type zabbix_t, zabbix_agent_t, zabbix_log_t, zabbix_var_run_t;
+		type zabbix_initrc_exec_t, zabbix_agent_initrc_exec_t, zabbix_tmp_t;
+		type zabbix_tmpfs_t;
 	')
 
 	allow $1 { zabbix_t zabbix_agent_t }:process { ptrace signal_perms };
-- 
2.0.4

[refpolicy] [PATCH 17/18] remove pyzor_role() from pyzor_admin()

[Jason Zaman]

pyzor_role contains some named filetrans's which can not be applied
twice. The roles already contain pyzor_role which makes adding
pyzor_admin impossible. This removes the role so they can both be
applied.
---
 pyzor.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pyzor.if b/pyzor.if
index 593c03d..c05a504 100644
--- a/pyzor.if
+++ b/pyzor.if
@@ -132,5 +132,6 @@ interface(`pyzor_admin',`
 	files_search_var_lib($1)
 	admin_pattern($1, pyzor_var_lib_t)
 
-	pyzor_role($2, $1)
+	# This makes it impossible to apply _admin if _role has already been applied
+	#pyzor_role($2, $1)
 ')
-- 
2.0.4

[refpolicy] [PATCH 18/18] remove spamassassin_role() from spamassassin_admin()

[Jason Zaman]

spamassassin_role contains some named filetrans's which can not be
applied twice. The roles already contain spamassassin_role which makes
adding spamassassin_admin impossible. This removes the role so they can
both be applied.
---
 spamassassin.if | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/spamassassin.if b/spamassassin.if
index 1499b0b..7f5a1cc 100644
--- a/spamassassin.if
+++ b/spamassassin.if
@@ -404,5 +404,6 @@ interface(`spamassassin_admin',`
 	files_list_pids($1)
 	admin_pattern($1, spamd_var_run_t)
 
-	spamassassin_role($2, $1)
+	# This makes it impossible to apply _admin if _role has already been applied
+	#spamassassin_role($2, $1)
 ')
-- 
2.0.4

[refpolicy] Syntax fixes in contrib

[Christopher J. PeBenito]

On 11/26/2014 1:38 AM, Jason Zaman wrote:
> I was going through the policy and adding all the _admin interfaces to sysadm
> in the gentoo policy and hit quite a number of syntax errors. They are mostly
> just typos and missing types in gen_require.
> 
> The last two remove the _role interface to not be called from _admin since the
> the _role is already called from in the role definitions and there is a
> conflict if it gets called twice so removing it from the _admin interface
> seemed reasonable. Commented them out and wrote a note above. Would it instead
> be preferred if i just removed it completely?

At first I wanted it removed, but then decided it's fine to keep the
comments, so we don't add it back in at some point in the future.  Or
maybe it will work in the future, so we can add it back.

This set is merged.

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com

[refpolicy] Syntax fixes in contrib

[Dominick Grift]

On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
> On 11/26/2014 1:38 AM, Jason Zaman wrote:
> > I was going through the policy and adding all the _admin interfaces to sysadm
> > in the gentoo policy and hit quite a number of syntax errors. They are mostly
> > just typos and missing types in gen_require.

The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.

This is also one of the reasons why i prefer only adding interfaces that are actually used.

On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support

-- 
Dominick Grift
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 648 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20141202/6425f2fd/attachment.bin 

[refpolicy] Syntax fixes in contrib

[Jason Zaman]

On Tue, Dec 02, 2014 at 05:15:43PM +0100, Dominick Grift wrote:
> On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
> > On 11/26/2014 1:38 AM, Jason Zaman wrote:
> > > I was going through the policy and adding all the _admin interfaces to sysadm
> > > in the gentoo policy and hit quite a number of syntax errors. They are mostly
> > > just typos and missing types in gen_require.
> 
> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
> 
> This is also one of the reasons why i prefer only adding interfaces that are actually used.
> 
> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
> 
> -- 
> Dominick Grift

Would a patch for adding all of the foo_admin() interfaces to sysadm.te
in refpol be accepted? and if i send a patch to add them, where in
sysadm.te would be the best? put them directly in the main part of the
file or should they go in the ifndef(distro_redhat section?

-- Jason

[refpolicy] Syntax fixes in contrib

[Miroslav Grepl]

On 12/02/2014 05:15 PM, Dominick Grift wrote:
> On Tue, Dec 02, 2014 at 10:31:38AM -0500, Christopher J. PeBenito wrote:
>> On 11/26/2014 1:38 AM, Jason Zaman wrote:
>>> I was going through the policy and adding all the _admin interfaces to sysadm
>>> in the gentoo policy and hit quite a number of syntax errors. They are mostly
>>> just typos and missing types in gen_require.
> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
>
> This is also one of the reasons why i prefer only adding interfaces that are actually used.
>
> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
>
>
>
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
We have tests for testing these _admin() interfaces in RHEL. I believe 
we could add them to Fedora to have them available.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20141203/b5a422d1/attachment-0001.html 

[refpolicy] Syntax fixes in contrib

[Jason Zaman]

On Wed, Dec 03, 2014 at 10:27:09AM +0100, Miroslav Grepl wrote:
> 
>    We have tests for testing these _admin() interfaces in RHEL. I believe
>    we could add them to Fedora to have them available.

I sent a big patch adding all the interfaces to sysadm.te, if you could
run your test suite on it to verify there are no errors I missed would
be great.

-- Jason

[refpolicy] Syntax fixes in contrib

[Dominick Grift]

On Wed, 2014-12-03 at 10:27 +0100, Miroslav Grepl wrote:

> > > > 
> > The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
> > 
> > This is also one of the reasons why i prefer only adding interfaces that are actually used.
> > 
> > On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
> > 
> > 


> We have tests for testing these _admin() interfaces in RHEL. I believe
> we could add them to Fedora to have them available.

Could be interesting. I fear however that the tests aren't going to be
the problem, but rather running them consistently when a unused
interface is added.

I might be wrong with that assumption though

[refpolicy] Syntax fixes in contrib

[Christopher J. PeBenito]

On 12/3/2014 9:33 AM, Dominick Grift wrote:
> On Wed, 2014-12-03 at 10:27 +0100, Miroslav Grepl wrote:
> 
>>>>>
>>> The problem with the admin interfaces (any interfaces for that matter) is that unless they are called they aren't tested.
>>>
>>> This is also one of the reasons why i prefer only adding interfaces that are actually used.
>>>
>>> On that other hand, adding interfaces even if they aren't used does make sense for audit2allow/sepolgen-ifgen, and for the confined admin support
>>>
>>>
> 
> 
>> We have tests for testing these _admin() interfaces in RHEL. I believe
>> we could add them to Fedora to have them available.
> 
> Could be interesting. I fear however that the tests aren't going to be
> the problem, but rather running them consistently when a unused
> interface is added.
> 
> I might be wrong with that assumption though

In the long run I'm not really concerned, as there will eventually be a
refpolicy->CIL compiler[1], which would do syntax checking on
interfaces, since they would be proper language constructs, instead of
macros.

[1] https://bitbucket.org/jwcarter/fpp

-- 
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com