From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc network patches
Date: Wed, 20 Jan 2021 20:42:21 +1100 [thread overview]
Message-ID: <YAf6/c8XKLACDF9P@xev> (raw)
Collection of net related patches, ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210120/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210120/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
@@ -164,13 +165,14 @@ allow traceroute_t self:capability { net
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;
can_exec(traceroute_t, traceroute_exec_t)
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)
corecmd_search_bin(traceroute_t)
@@ -205,6 +207,7 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
+miscfiles_read_generic_certs(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.3)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether DHCP client
+## can manage samba
+## </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
attribute_role dhcpc_roles;
roleattribute system_r dhcpc_roles;
@@ -175,6 +183,15 @@ ifdef(`init_systemd',`
')
optional_policy(`
+ tunable_policy(`dhcpc_manage_samba',`
+ samba_manage_var_files(dhcpc_t)
+ init_exec_script_files(dhcpc_t)
+ init_get_system_status(dhcpc_t)
+ samba_restart(dhcpc_t)
+ ')
+')
+
+optional_policy(`
avahi_domtrans(dhcpc_t)
')
Index: refpolicy-2.20210120/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20210120/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#
corenet_ib_access_unlabeled_pkeys(staff_t)
+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -36,6 +40,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -65,6 +73,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(staff_t)
+')
+
+optional_policy(`
xscreensaver_role(staff_r, staff_t)
')
Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)
#role user_r;
userdom_unpriv_user_template(user)
+tunable_policy(`user_bind_unreserved', `
+ corenet_tcp_bind_all_unreserved_ports(user_t)
+ corenet_udp_bind_all_unreserved_ports(user_t)
+ corenet_tcp_bind_generic_node(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
@@ -25,6 +37,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
@@ -33,6 +49,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(user_t)
+')
+
+optional_policy(`
xscreensaver_role(user_r, user_t)
')
Index: refpolicy-2.20210120/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.if
+++ refpolicy-2.20210120/policy/modules/services/samba.if
@@ -729,3 +729,22 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+########################################
+## <summary>
+## Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_restart',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service { start stop status reload };
+')
Index: refpolicy-2.20210120/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20210120/policy/modules/system/xdg.if
@@ -921,6 +921,24 @@ interface(`xdg_watch_documents_dirs',`
########################################
## <summary>
+## Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_documents_t type.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
files_runtime_filetrans(mon_t, mon_runtime_t, file)
+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
kernel_read_kernel_sysctls(mon_t)
kernel_read_network_state(mon_t)
kernel_read_system_state(mon_t)
Index: refpolicy-2.20210120/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210120/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
dev_read_urand(mailman_cgi_t)
files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
Index: refpolicy-2.20210120/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20210120/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)
dev_read_urand(dkim_milter_t)
# for cpu/online
next reply other threads:[~2021-01-20 11:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 9:42 Russell Coker [this message]
2021-01-20 13:23 ` [PATCH] misc network patches Dominick Grift
2021-01-27 7:00 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAf6/c8XKLACDF9P@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.