* [PATCH] misc services patches
@ 2021-01-20 10:08 Russell Coker
2021-01-20 14:53 ` Dominick Grift
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2021-01-20 10:08 UTC (permalink / raw)
To: selinux-refpolicy
Misc patches for services policy, ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210120/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210120/policy/modules/services/apache.fc
@@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
ifdef(`distro_suse',`
/usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -144,7 +146,7 @@ ifdef(`distro_suse',`
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -170,6 +172,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -178,6 +181,7 @@ ifdef(`distro_suse',`
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/apache.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.if
+++ refpolicy-2.20210120/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_t httpd_$1_content_t:file map;
+ allow httpd_t httpd_$1_rw_content_t:file map;
')
')
@@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
@@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da
')
########################################
+## <summary>
+## delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+ gen_require(`
+ type squirrelmail_spool_t;
+ ')
+
+ allow $1 squirrelmail_spool_t:dir rw_dir_perms;
+ allow $1 squirrelmail_spool_t:file delete_file_perms;
+')
+
+########################################
## <summary>
## Search httpd system content.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210120/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
allow httpd_t httpd_htaccess_type:file read_file_perms;
allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
fs_read_anon_inodefs_files(httpd_t)
fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
files_dontaudit_getattr_all_runtime_files(httpd_t)
files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
+ allow httpd_t httpdcontent:file { map read_file_perms };
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server'
')
tunable_policy(`httpd_enable_homedirs',`
- userdom_search_user_home_dirs(httpd_t)
+ userdom_list_user_home_content(httpd_t)
')
tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
@@ -903,6 +913,7 @@ optional_policy(`
#
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
@@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
auth_use_nsswitch(aptcacher_t)
+files_read_etc_files(aptcacher_t)
+
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
Index: refpolicy-2.20210120/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210120/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
files_read_usr_files(named_t)
+files_map_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
Index: refpolicy-2.20210120/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210120/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;
+can_exec(colord_t, colord_exec_t)
+
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -128,6 +130,10 @@ optional_policy(`
')
optional_policy(`
+ snmp_read_snmp_var_lib_files(colord_t)
+')
+
+optional_policy(`
sysnet_exec_ifconfig(colord_t)
')
@@ -136,6 +142,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(colord_t)
+')
+
+optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
')
Index: refpolicy-2.20210120/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210120/policy/modules/services/cron.te
@@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
+backup_manage_store_files(system_cronjob_t)
+
auth_manage_var_auth(crond_t)
auth_use_pam(crond_t)
@@ -340,6 +342,11 @@ ifdef(`distro_debian',`
')
optional_policy(`
+ aptcacher_read_config(system_cronjob_t)
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -435,6 +442,7 @@ optional_policy(`
init_dbus_chat(crond_t)
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
@@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
@@ -587,6 +596,7 @@ optional_policy(`
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
+ apache_delete_squirrelmail_spool(system_cronjob_t)
')
optional_policy(`
@@ -659,6 +669,8 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_status(system_cronjob_t)
+ spamassassin_reload(system_cronjob_t)
')
optional_policy(`
Index: refpolicy-2.20210120/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210120/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`
allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket { bind create getattr read setopt };
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket { accept listen };
@@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
libs_read_lib_files(cupsd_t)
libs_exec_lib_files(cupsd_t)
+libs_legacy_use_ld_so(cupsd_t)
logging_send_audit_msgs(cupsd_t)
logging_send_syslog_msg(cupsd_t)
Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210120/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)
+mount_rw_runtime_files(devicekit_disk_t)
+
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)
Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
+++ refpolicy-2.20210120/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
domain_use_interactive_fds(entropyd_t)
Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
Index: refpolicy-2.20210120/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20210120/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
# usr for lua modules
files_read_usr_files(jabberd_t)
+files_search_var_lib(jabberd_t)
+
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_generic_tls_privkey(jabberd_t)
miscfiles_read_all_certs(jabberd_t)
sysnet_read_config(jabberd_t)
Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
+++ refpolicy-2.20210120/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;
read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -150,6 +150,10 @@ optional_policy(`
bind_read_zone(mon_net_test_t)
')
+optional_policy(`
+ mysql_stream_connect(mon_net_test_t)
+')
+
########################################
#
# Local policy
@@ -159,7 +163,8 @@ optional_policy(`
# try not to use dontaudit rules for this
#
-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;
Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210120/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
Index: refpolicy-2.20210120/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210120/policy/modules/services/mysql.if
@@ -59,7 +59,7 @@ interface(`mysql_signal',`
type mysqld_t;
')
- allow $1 mysqld_t:process signal;
+ allow $1 mysqld_t:process { signull signal };
')
########################################
Index: refpolicy-2.20210120/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210120/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
+miscfiles_read_generic_certs(mysqld_t)
miscfiles_read_localization(mysqld_t)
userdom_search_user_home_dirs(mysqld_t)
Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210120/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
+init_read_state(openvpn_t)
+
miscfiles_read_localization(openvpn_t)
miscfiles_read_all_certs(openvpn_t)
@@ -163,6 +165,10 @@ optional_policy(`
')
optional_policy(`
+ dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -174,3 +180,7 @@ optional_policy(`
optional_policy(`
systemd_use_passwd_agent(openvpn_t)
')
+
+optional_policy(`
+ unconfined_use_fds(openvpn_t)
+')
Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
+++ refpolicy-2.20210120/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210120/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
# kernel_mounton_proc(nfsd_t)
Index: refpolicy-2.20210120/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210120/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -480,6 +487,11 @@ optional_policy(`
')
optional_policy(`
+ dbus_send_system_bus(smbd_t)
+ dbus_system_bus_client(smbd_t)
+')
+
+optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
')
@@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
@@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210120/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210120/policy/modules/services/squid.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/squid.te
+++ refpolicy-2.20210120/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket { accept connectto listen };
allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket all_netlink_netfilter_socket_perms;
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
Index: refpolicy-2.20210120/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210120/policy/modules/services/ssh.te
@@ -268,6 +268,7 @@ ifdef(`init_systemd',`
init_dbus_chat(sshd_t)
systemd_dbus_chat_logind(sshd_t)
init_rw_stream_sockets(sshd_t)
+ systemd_read_logind_sessions_files(sshd_t)
')
tunable_policy(`ssh_sysadm_login',`
Index: refpolicy-2.20210120/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/tor.te
+++ refpolicy-2.20210120/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20210120/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
+mcs_killall(watchdog_t)
+
miscfiles_read_localization(watchdog_t)
sysnet_dns_name_resolve(watchdog_t)
Index: refpolicy-2.20210120/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210120/policy/modules/services/xserver.if
@@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'
rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
xdg_search_cache_dirs($1)
')
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-20 10:08 [PATCH] misc services patches Russell Coker
@ 2021-01-20 14:53 ` Dominick Grift
2021-01-21 13:25 ` Russell Coker
0 siblings, 1 reply; 11+ messages in thread
From: Dominick Grift @ 2021-01-20 14:53 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Misc patches for services policy, ready to merge.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210120/policy/modules/services/apache.fc
> @@ -83,6 +83,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
> /usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
> /usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
> /usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
> +/usr/sbin/php7..-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
> +/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
>
> ifdef(`distro_suse',`
> /usr/sbin/httpd2-.* -- gen_context(system_u:object_r:httpd_exec_t,s0)
> @@ -144,7 +146,7 @@ ifdef(`distro_suse',`
> /var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
> -/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> +/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
> /var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
> /var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> /var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
> @@ -170,6 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> +/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> @@ -178,6 +181,7 @@ ifdef(`distro_suse',`
> /run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> +/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
>
> Index: refpolicy-2.20210120/policy/modules/services/apache.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.if
> +++ refpolicy-2.20210120/policy/modules/services/apache.if
> @@ -71,6 +71,7 @@ template(`apache_content_template',`
>
> manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> + allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
> manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
> @@ -97,6 +98,8 @@ template(`apache_content_template',`
>
> tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
> filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
> + allow httpd_t httpd_$1_content_t:file map;
> + allow httpd_t httpd_$1_rw_content_t:file map;
> ')
> ')
>
> @@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
> apache_search_sys_content($1)
> manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> + allow $1 httpd_sys_rw_content_t:file map;
> manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
> ')
>
> @@ -1132,6 +1136,25 @@ interface(`apache_append_squirrelmail_da
> ')
>
> ########################################
> +## <summary>
> +## delete httpd squirrelmail spool files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`apache_delete_squirrelmail_spool',`
> + gen_require(`
> + type squirrelmail_spool_t;
> + ')
> +
> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> + allow $1 squirrelmail_spool_t:file delete_file_perms;
delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
> +')
> +
> +########################################
> ## <summary>
> ## Search httpd system content.
> ## </summary>
> Index: refpolicy-2.20210120/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210120/policy/modules/services/apache.te
> @@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
> manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
> files_var_filetrans(httpd_t, httpd_cache_t, dir)
> +allow httpd_t httpd_cache_t:file map;
>
> allow httpd_t httpd_config_t:dir list_dir_perms;
> read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
> @@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
> allow httpd_t httpd_htaccess_type:file read_file_perms;
>
> allow httpd_t httpd_ro_content:dir list_dir_perms;
> -allow httpd_t httpd_ro_content:file read_file_perms;
> +allow httpd_t httpd_ro_content:file { map read_file_perms };
> allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_keytab_t:file read_file_perms;
> @@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
> manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
> +allow httpd_t httpd_squirrelmail_t:file map;
>
> allow httpd_t httpd_suexec_exec_t:file read_file_perms;
>
> @@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
>
> manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> +allow httpd_t httpd_tmp_t:file map;
> manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
> files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
> @@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
>
> manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> +allow httpd_t httpd_var_lib_t:file map;
> manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
> files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
>
> @@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
> domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
>
> kernel_read_kernel_sysctls(httpd_t)
> +kernel_read_crypto_sysctls(httpd_t)
> kernel_read_vm_sysctls(httpd_t)
> kernel_read_vm_overcommit_sysctl(httpd_t)
> kernel_read_network_state(httpd_t)
> @@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
> dev_read_rand(httpd_t)
> dev_read_urand(httpd_t)
> dev_rw_crypto(httpd_t)
> +dev_rwx_zero(httpd_t)
>
> domain_use_interactive_fds(httpd_t)
>
> @@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
>
> fs_read_anon_inodefs_files(httpd_t)
> fs_rw_inherited_hugetlbfs_files(httpd_t)
> +fs_mmap_rw_hugetlbfs_files(httpd_t)
> fs_read_iso9660_files(httpd_t)
>
> files_dontaudit_getattr_all_runtime_files(httpd_t)
> files_read_usr_files(httpd_t)
> +files_map_usr_files(httpd_t)
> files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> @@ -504,6 +512,7 @@ files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> files_read_var_lib_symlinks(httpd_t)
> +files_map_etc_files(httpd_t)
>
> auth_use_nsswitch(httpd_t)
>
> @@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
> exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
>
> allow httpd_t httpdcontent:dir list_dir_perms;
> - allow httpd_t httpdcontent:file read_file_perms;
> + allow httpd_t httpdcontent:file { map read_file_perms };
> allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
>
> allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
> @@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
>
> manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
> + allow httpd_t httpdcontent:file map;
> manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
> manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
> @@ -625,7 +635,7 @@ tunable_policy(`httpd_enable_ftp_server'
> ')
>
> tunable_policy(`httpd_enable_homedirs',`
> - userdom_search_user_home_dirs(httpd_t)
> + userdom_list_user_home_content(httpd_t)
this is not how it was designed. If you want that functionality then set
httpd_read_user_content boolean to true instead
> ')
>
> tunable_policy(`httpd_enable_homedirs && use_nfs_home_dirs',`
> @@ -903,6 +913,7 @@ optional_policy(`
> #
>
> read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
> +allow httpd_t httpd_config_t:file map;
>
> append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.fc
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.fc
> @@ -2,12 +2,15 @@
>
> /usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
>
> -/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
> +/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
>
> +/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
> /run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
>
> +/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
> /var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
>
> /var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
>
> +/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> /var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.if
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.if
> @@ -63,3 +63,23 @@ interface(`aptcacher_stream_connect',`
> files_search_runtime($1)
> stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
> ')
> +
> +######################################
> +## <summary>
> +## read aptcacher config
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed to read it.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_read_config',`
> + gen_require(`
> + type aptcacher_etc_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 aptcacher_etc_t:dir list_dir_perms;
> + allow $1 aptcacher_etc_t:file mmap_read_file_perms;
> +')
> Index: refpolicy-2.20210120/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210120/policy/modules/services/aptcacher.te
> @@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
>
> auth_use_nsswitch(aptcacher_t)
>
> +files_read_etc_files(aptcacher_t)
> +
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210120/policy/modules/services/bind.te
> @@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
>
> files_read_etc_runtime_files(named_t)
> files_read_usr_files(named_t)
> +files_map_usr_files(named_t)
>
> fs_getattr_all_fs(named_t)
> fs_search_auto_mountpoints(named_t)
> Index: refpolicy-2.20210120/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210120/policy/modules/services/colord.te
> @@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
> allow colord_t self:tcp_socket { accept listen };
> allow colord_t self:shm create_shm_perms;
>
> +can_exec(colord_t, colord_exec_t)
> +
> manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
> files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
> @@ -128,6 +130,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + snmp_read_snmp_var_lib_files(colord_t)
> +')
> +
> +optional_policy(`
> sysnet_exec_ifconfig(colord_t)
> ')
>
> @@ -136,6 +142,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(colord_t)
> +')
> +
> +optional_policy(`
> xserver_read_xdm_lib_files(colord_t)
> xserver_use_xdm_fds(colord_t)
> ')
> Index: refpolicy-2.20210120/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210120/policy/modules/services/cron.te
> @@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
> init_get_generic_units_status(system_cronjob_t)
> init_get_system_status(system_cronjob_t)
>
> +backup_manage_store_files(system_cronjob_t)
> +
> auth_manage_var_auth(crond_t)
> auth_use_pam(crond_t)
>
> @@ -340,6 +342,11 @@ ifdef(`distro_debian',`
> ')
>
> optional_policy(`
> + aptcacher_read_config(system_cronjob_t)
> + corenet_tcp_connect_aptcacher_port(system_cronjob_t)
> + ')
> +
> + optional_policy(`
> logwatch_search_cache_dir(crond_t)
> ')
> ')
> @@ -435,6 +442,7 @@ optional_policy(`
> init_dbus_chat(crond_t)
> init_dbus_chat(system_cronjob_t)
> systemd_dbus_chat_logind(system_cronjob_t)
> + systemd_read_journal_files(system_cronjob_t)
> systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
> # so cron jobs can restart daemons
> init_stream_connect(system_cronjob_t)
> @@ -505,6 +513,7 @@ corenet_tcp_sendrecv_generic_if(system_c
> corenet_udp_sendrecv_generic_if(system_cronjob_t)
> corenet_tcp_sendrecv_generic_node(system_cronjob_t)
> corenet_udp_sendrecv_generic_node(system_cronjob_t)
> +corenet_udp_bind_generic_node(system_cronjob_t)
>
> dev_getattr_all_blk_files(system_cronjob_t)
> dev_getattr_all_chr_files(system_cronjob_t)
> @@ -587,6 +596,7 @@ optional_policy(`
> apache_read_log(system_cronjob_t)
> apache_read_sys_content(system_cronjob_t)
> apache_delete_lib_files(system_cronjob_t)
> + apache_delete_squirrelmail_spool(system_cronjob_t)
> ')
>
> optional_policy(`
> @@ -659,6 +669,8 @@ optional_policy(`
>
> optional_policy(`
> spamassassin_manage_lib_files(system_cronjob_t)
> + spamassassin_status(system_cronjob_t)
> + spamassassin_reload(system_cronjob_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210120/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210120/policy/modules/services/cups.te
> @@ -111,11 +111,12 @@ ifdef(`enable_mls',`
>
> allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
> dontaudit cupsd_t self:capability { net_admin sys_tty_config };
> -allow cupsd_t self:capability2 block_suspend;
> +allow cupsd_t self:capability2 { block_suspend wake_alarm };
> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> allow cupsd_t self:fifo_file rw_fifo_file_perms;
> allow cupsd_t self:unix_stream_socket { accept connectto listen };
> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> getattr read setopt };
create_socket_perms, use the permission sets and patterns where appropriate
> allow cupsd_t self:shm create_shm_perms;
> allow cupsd_t self:sem create_sem_perms;
> allow cupsd_t self:tcp_socket { accept listen };
> @@ -254,6 +255,7 @@ auth_use_nsswitch(cupsd_t)
>
> libs_read_lib_files(cupsd_t)
> libs_exec_lib_files(cupsd_t)
> +libs_legacy_use_ld_so(cupsd_t)
>
> logging_send_audit_msgs(cupsd_t)
> logging_send_syslog_msg(cupsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210120/policy/modules/services/devicekit.te
> @@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
> fs_unmount_all_fs(devicekit_disk_t)
> fs_search_all(devicekit_disk_t)
>
> +mount_rw_runtime_files(devicekit_disk_t)
> +
> mls_file_read_all_levels(devicekit_disk_t)
> mls_file_write_to_clearance(devicekit_disk_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/entropyd.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/entropyd.te
> +++ refpolicy-2.20210120/policy/modules/services/entropyd.te
> @@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
>
> fs_getattr_all_fs(entropyd_t)
> fs_search_auto_mountpoints(entropyd_t)
> +fs_search_tmpfs(entropyd_t)
>
> domain_use_interactive_fds(entropyd_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210120/policy/modules/services/fail2ban.te
> @@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_search_fs_sysctls(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
> auth_use_nsswitch(fail2ban_t)
>
> logging_read_all_logs(fail2ban_t)
> +logging_read_audit_log(fail2ban_t)
> logging_send_syslog_msg(fail2ban_t)
>
> miscfiles_read_localization(fail2ban_t)
> Index: refpolicy-2.20210120/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20210120/policy/modules/services/jabber.te
> @@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
> # usr for lua modules
> files_read_usr_files(jabberd_t)
>
> +files_search_var_lib(jabberd_t)
> +
> fs_search_auto_mountpoints(jabberd_t)
>
> +miscfiles_read_generic_tls_privkey(jabberd_t)
> miscfiles_read_all_certs(jabberd_t)
>
> sysnet_read_config(jabberd_t)
> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> allow l2tpd_t self:tcp_socket { accept listen };
> allow l2tpd_t self:unix_dgram_socket sendto;
> allow l2tpd_t self:unix_stream_socket { accept listen };
> +allow l2tpd_t self:pppox_socket create;
create_socket_perms probably eventually
>
> read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210120/policy/modules/services/mon.te
> @@ -150,6 +150,10 @@ optional_policy(`
> bind_read_zone(mon_net_test_t)
> ')
>
> +optional_policy(`
> + mysql_stream_connect(mon_net_test_t)
> +')
> +
> ########################################
> #
> # Local policy
> @@ -159,7 +163,8 @@ optional_policy(`
> # try not to use dontaudit rules for this
> #
>
> -allow mon_local_test_t self:capability sys_admin;
> +# sys_ptrace is for reading /proc/1/maps etc
> +allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
>
> Index: refpolicy-2.20210120/policy/modules/services/mysql.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.fc
> +++ refpolicy-2.20210120/policy/modules/services/mysql.fc
> @@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
> /usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> /usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
> /usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
> +/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
>
> /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
> /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
> Index: refpolicy-2.20210120/policy/modules/services/mysql.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.if
> +++ refpolicy-2.20210120/policy/modules/services/mysql.if
> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> type mysqld_t;
> ')
>
> - allow $1 mysqld_t:process signal;
> + allow $1 mysqld_t:process { signull signal };
create a new mysql_signull()
by generalizing interfaces and putting them out of context youre
shutting down doors for fine grained access control.
> ')
>
> ########################################
> Index: refpolicy-2.20210120/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210120/policy/modules/services/mysql.te
> @@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
> # Local policy
> #
>
> -allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
> +allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> @@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
>
> manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> +allow mysqld_t mysqld_db_t:file map;
> manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
> files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
>
> @@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
>
> manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
> +allow mysqld_t mysqld_tmp_t:file map;
> files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
>
> manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
> @@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
> kernel_read_network_state(mysqld_t)
> kernel_read_system_state(mysqld_t)
> kernel_read_vm_sysctls(mysqld_t)
> +kernel_read_vm_overcommit_sysctl(mysqld_t)
>
> corenet_all_recvfrom_netlabel(mysqld_t)
> corenet_tcp_sendrecv_generic_if(mysqld_t)
> @@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
>
> fs_getattr_all_fs(mysqld_t)
> fs_search_auto_mountpoints(mysqld_t)
> +fs_search_tmpfs(mysqld_t)
> fs_rw_hugetlbfs_files(mysqld_t)
>
> files_read_etc_runtime_files(mysqld_t)
> @@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
>
> logging_send_syslog_msg(mysqld_t)
>
> +miscfiles_read_generic_certs(mysqld_t)
> miscfiles_read_localization(mysqld_t)
>
> userdom_search_user_home_dirs(mysqld_t)
> Index: refpolicy-2.20210120/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210120/policy/modules/services/openvpn.te
> @@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> +init_read_state(openvpn_t)
> +
> miscfiles_read_localization(openvpn_t)
> miscfiles_read_all_certs(openvpn_t)
>
> @@ -163,6 +165,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_script_rw_inherited_pipes(openvpn_t)
> +')
> +
> +optional_policy(`
> dbus_system_bus_client(openvpn_t)
> dbus_connect_system_bus(openvpn_t)
>
> @@ -174,3 +180,7 @@ optional_policy(`
> optional_policy(`
> systemd_use_passwd_agent(openvpn_t)
> ')
> +
> +optional_policy(`
> + unconfined_use_fds(openvpn_t)
> +')
> Index: refpolicy-2.20210120/policy/modules/services/postgrey.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/postgrey.te
> +++ refpolicy-2.20210120/policy/modules/services/postgrey.te
> @@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
> manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
>
> manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
> +allow postgrey_t postgrey_var_lib_t:file map;
> files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
>
> manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210120/policy/modules/services/rpc.te
> @@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
>
> kernel_read_network_state(nfsd_t)
> kernel_dontaudit_getattr_core_if(nfsd_t)
> +kernel_search_debugfs(nfsd_t)
> kernel_setsched(nfsd_t)
> kernel_request_load_module(nfsd_t)
> # kernel_mounton_proc(nfsd_t)
> Index: refpolicy-2.20210120/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210120/policy/modules/services/samba.te
> @@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
>
> allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
> allow samba_net_t self:capability2 block_suspend;
> -allow samba_net_t self:process { getsched setsched };
> +allow samba_net_t self:process { sigkill getsched setsched };
> allow samba_net_t self:unix_stream_socket { accept listen };
> +allow samba_net_t self:fifo_file rw_file_perms;
>
> allow samba_net_t samba_etc_t:file read_file_perms;
>
> +allow samba_net_t samba_var_run_t:file { map read_file_perms };
> +
> manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
> filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
>
> @@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
>
> manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
> manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> +allow samba_net_t samba_var_t:file map;
> manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
> files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
>
> @@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
>
> manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
> +allow smbd_t samba_var_t:file map;
> manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
> @@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
>
> manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> +allow smbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
>
> @@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
> stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
>
> stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
> +allow smbd_t nmbd_t:unix_dgram_socket sendto;
>
> kernel_getattr_core_if(smbd_t)
> kernel_getattr_message_if(smbd_t)
> @@ -480,6 +487,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_send_system_bus(smbd_t)
> + dbus_system_bus_client(smbd_t)
dbus_send_system_bus(smbd_t) is redundant (already implied with dbus_system_bus_client(smbd_t)
> +')
> +
> +optional_policy(`
> kerberos_read_keytab(smbd_t)
> kerberos_use(smbd_t)
> ')
> @@ -520,6 +532,7 @@ allow nmbd_t self:unix_stream_socket { a
>
> manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> +allow nmbd_t samba_runtime_t:file map;
> manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
> files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
>
> @@ -532,7 +545,7 @@ create_files_pattern(nmbd_t, samba_log_t
> setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
>
> manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> -manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> +allow nmbd_t samba_var_t:file map;
> manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
> files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
> @@ -613,6 +626,8 @@ allow smbcontrol_t self:process { signal
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
> +init_use_fds(smbcontrol_t)
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
>
> Index: refpolicy-2.20210120/policy/modules/services/smartmon.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/smartmon.te
> +++ refpolicy-2.20210120/policy/modules/services/smartmon.te
> @@ -38,7 +38,7 @@ ifdef(`enable_mls',`
> # Local policy
> #
>
> -allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
> +allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
> dontaudit fsdaemon_t self:capability sys_tty_config;
> allow fsdaemon_t self:process { getcap setcap signal_perms };
> allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
> Index: refpolicy-2.20210120/policy/modules/services/squid.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> +++ refpolicy-2.20210120/policy/modules/services/squid.te
> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> allow squid_t self:unix_dgram_socket sendto;
> allow squid_t self:unix_stream_socket { accept connectto listen };
> allow squid_t self:tcp_socket { accept listen };
> +allow squid_t self:netlink_netfilter_socket
> all_netlink_netfilter_socket_perms;
probably just create_socket_perms?
>
> manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
> manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
> @@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
> files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
>
> manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
> +allow squid_t squid_tmpfs_t:file map;
> fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
>
> manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> init_dbus_chat(sshd_t)
> systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> + systemd_read_logind_sessions_files(sshd_t)
This should probably be addressed on the lower authlogin level instead
> ')
>
> tunable_policy(`ssh_sysadm_login',`
> Index: refpolicy-2.20210120/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20210120/policy/modules/services/tor.te
> @@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
> kernel_read_kernel_sysctls(tor_t)
> kernel_read_net_sysctls(tor_t)
> kernel_read_system_state(tor_t)
> +kernel_read_vm_overcommit_sysctl(tor_t)
>
> corenet_all_recvfrom_netlabel(tor_t)
> corenet_tcp_sendrecv_generic_if(tor_t)
> Index: refpolicy-2.20210120/policy/modules/services/watchdog.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/watchdog.te
> +++ refpolicy-2.20210120/policy/modules/services/watchdog.te
> @@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
>
> logging_send_syslog_msg(watchdog_t)
>
> +mcs_killall(watchdog_t)
> +
> miscfiles_read_localization(watchdog_t)
>
> sysnet_dns_name_resolve(watchdog_t)
> Index: refpolicy-2.20210120/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20210120/policy/modules/services/xserver.if
> @@ -1662,6 +1662,7 @@ interface(`xserver_rw_mesa_shader_cache'
>
> rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
> + allow $1 mesa_shader_cache_t:file map;
> xdg_search_cache_dirs($1)
> ')
>
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-20 14:53 ` Dominick Grift
@ 2021-01-21 13:25 ` Russell Coker
2021-01-21 13:35 ` Dominick Grift
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2021-01-21 13:25 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux-refpolicy
On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
> > /usr/sbin/suexec --
gen_context(system_u:object_r:httpd_suexec_exec_
> > t,s0)
> > /usr/sbin/wigwam --
gen_context(system_u:object_r:httpd_exec_t,s0)>
> > +/usr/sbin/php7..-fpm --
gen_context(system_u:object_r:httpd_exec_t,s0
> > )
>
> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
OK, I'll change that.
> > +interface(`apache_delete_squirrelmail_spool',`
> > + gen_require(`
> > + type squirrelmail_spool_t;
> > + ')
> > +
> > + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> > + allow $1 squirrelmail_spool_t:file delete_file_perms;
>
> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
OK.
> > tunable_policy(`httpd_enable_homedirs',`
> >
> > - userdom_search_user_home_dirs(httpd_t)
> > + userdom_list_user_home_content(httpd_t)
>
> this is not how it was designed. If you want that functionality then set
> httpd_read_user_content boolean to true instead
OK, I'll delete that patch and do it a better way next time I see a case for
it.
> > allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> > allow cupsd_t self:fifo_file rw_fifo_file_perms;
> > allow cupsd_t self:unix_stream_socket { accept connectto listen };
> > allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> >
> > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> >
> > getattr read setopt };
>
> create_socket_perms, use the permission sets and patterns where appropriate
ok
> > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> >
> > allow l2tpd_t self:tcp_socket { accept listen };
> > allow l2tpd_t self:unix_dgram_socket sendto;
> > allow l2tpd_t self:unix_stream_socket { accept listen };
> >
> > +allow l2tpd_t self:pppox_socket create;
>
> create_socket_perms probably eventually
Maybe, but for the moment I think it's best to leave them like that. I had it
working fully only needing those accesses.
> > @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> >
> > type mysqld_t;
> >
> > ')
> >
> > - allow $1 mysqld_t:process signal;
> > + allow $1 mysqld_t:process { signull signal };
>
> create a new mysql_signull()
>
> by generalizing interfaces and putting them out of context youre
> shutting down doors for fine grained access control.
OK, I'll drop that patch and add a mysql_signull() next time I see the need
for it (probably a week or two).
> > optional_policy(`
> >
> > + dbus_send_system_bus(smbd_t)
> > + dbus_system_bus_client(smbd_t)
>
> dbus_send_system_bus(smbd_t) is redundant (already implied with
> dbus_system_bus_client(smbd_t)
ok
> > Index: refpolicy-2.20210120/policy/modules/services/squid.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> > +++ refpolicy-2.20210120/policy/modules/services/squid.te
> > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> >
> > allow squid_t self:unix_dgram_socket sendto;
> > allow squid_t self:unix_stream_socket { accept connectto listen };
> > allow squid_t self:tcp_socket { accept listen };
> >
> > +allow squid_t self:netlink_netfilter_socket
> > all_netlink_netfilter_socket_perms;
>
> probably just create_socket_perms?
OK.
> > Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> > +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> > @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> >
> > init_dbus_chat(sshd_t)
> > systemd_dbus_chat_logind(sshd_t)
> > init_rw_stream_sockets(sshd_t)
> >
> > + systemd_read_logind_sessions_files(sshd_t)
>
> This should probably be addressed on the lower authlogin level instead
auth_login_pgm_domain()?
In another patch I have systemd_connect_machined(sshd_t) which I guess should
go in the same one too.
Thanks for all the suggestions. I'll send an updated version shortly.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-21 13:25 ` Russell Coker
@ 2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
0 siblings, 2 replies; 11+ messages in thread
From: Dominick Grift @ 2021-01-21 13:35 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
On 1/21/21 2:25 PM, Russell Coker wrote:
> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>> /usr/sbin/suexec --
> gen_context(system_u:object_r:httpd_suexec_exec_
>>> t,s0)
>>> /usr/sbin/wigwam --
> gen_context(system_u:object_r:httpd_exec_t,s0)>
>>> +/usr/sbin/php7..-fpm --
> gen_context(system_u:object_r:httpd_exec_t,s0
>>> )
>>
>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>
> OK, I'll change that.
>
>>> +interface(`apache_delete_squirrelmail_spool',`
>>> + gen_require(`
>>> + type squirrelmail_spool_t;
>>> + ')
>>> +
>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>> + allow $1 squirrelmail_spool_t:file delete_file_perms;
>>
>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>
> OK.
>
>>> tunable_policy(`httpd_enable_homedirs',`
>>>
>>> - userdom_search_user_home_dirs(httpd_t)
>>> + userdom_list_user_home_content(httpd_t)
>>
>> this is not how it was designed. If you want that functionality then set
>> httpd_read_user_content boolean to true instead
>
> OK, I'll delete that patch and do it a better way next time I see a case for
> it.
>
>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>> allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>> allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>
>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>
>>> getattr read setopt };
>>
>> create_socket_perms, use the permission sets and patterns where appropriate
>
> ok
>
>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>
>>> allow l2tpd_t self:tcp_socket { accept listen };
>>> allow l2tpd_t self:unix_dgram_socket sendto;
>>> allow l2tpd_t self:unix_stream_socket { accept listen };
>>>
>>> +allow l2tpd_t self:pppox_socket create;
>>
>> create_socket_perms probably eventually
>
> Maybe, but for the moment I think it's best to leave them like that. I had it
> working fully only needing those accesses.
>
>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>
>>> type mysqld_t;
>>>
>>> ')
>>>
>>> - allow $1 mysqld_t:process signal;
>>> + allow $1 mysqld_t:process { signull signal };
>>
>> create a new mysql_signull()
>>
>> by generalizing interfaces and putting them out of context youre
>> shutting down doors for fine grained access control.
>
> OK, I'll drop that patch and add a mysql_signull() next time I see the need
> for it (probably a week or two).
>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(smbd_t)
>>> + dbus_system_bus_client(smbd_t)
>>
>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>> dbus_system_bus_client(smbd_t)
>
> ok
>
>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>
>>> allow squid_t self:unix_dgram_socket sendto;
>>> allow squid_t self:unix_stream_socket { accept connectto listen };
>>> allow squid_t self:tcp_socket { accept listen };
>>>
>>> +allow squid_t self:netlink_netfilter_socket
>>> all_netlink_netfilter_socket_perms;
>>
>> probably just create_socket_perms?
>
> OK.
>
>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>> ===================================================================
>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>
>>> init_dbus_chat(sshd_t)
>>> systemd_dbus_chat_logind(sshd_t)
>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>
>>> + systemd_read_logind_sessions_files(sshd_t)
>>
>> This should probably be addressed on the lower authlogin level instead
>
> auth_login_pgm_domain()?
I would consider adding it to auth_use_pam(). but its a good question.
>
> In another patch I have systemd_connect_machined(sshd_t) which I guess should
> go in the same one too.
Which patch was that? That does not look right if only that the name of
the interface isnt very descriptive (there is no way unix stream connect
or unix dgram sendto machined.
So this is either about systemd's nss mymachines (in which case it
belongs in auth_use_nsswitch() or about reading systemd
/var/run/machines in which case the interface name is wrong.
>
>
> Thanks for all the suggestions. I'll send an updated version shortly.
>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-21 13:35 ` Dominick Grift
@ 2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
1 sibling, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2021-01-21 13:40 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
On 1/21/21 2:35 PM, Dominick Grift wrote:
>
>
> On 1/21/21 2:25 PM, Russell Coker wrote:
>> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>>> /usr/sbin/suexec --
>> gen_context(system_u:object_r:httpd_suexec_exec_
>>>> t,s0)
>>>> /usr/sbin/wigwam --
>> gen_context(system_u:object_r:httpd_exec_t,s0)>
>>>> +/usr/sbin/php7..-fpm --
>> gen_context(system_u:object_r:httpd_exec_t,s0
>>>> )
>>>
>>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>>
>> OK, I'll change that.
>>
>>>> +interface(`apache_delete_squirrelmail_spool',`
>>>> + gen_require(`
>>>> + type squirrelmail_spool_t;
>>>> + ')
>>>> +
>>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>>> + allow $1 squirrelmail_spool_t:file delete_file_perms;
>>>
>>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>>
>> OK.
>>
>>>> tunable_policy(`httpd_enable_homedirs',`
>>>>
>>>> - userdom_search_user_home_dirs(httpd_t)
>>>> + userdom_list_user_home_content(httpd_t)
>>>
>>> this is not how it was designed. If you want that functionality then set
>>> httpd_read_user_content boolean to true instead
>>
>> OK, I'll delete that patch and do it a better way next time I see a case for
>> it.
>>
>>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>>> allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>>> allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>>
>>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>>
>>>> getattr read setopt };
>>>
>>> create_socket_perms, use the permission sets and patterns where appropriate
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>>
>>>> allow l2tpd_t self:tcp_socket { accept listen };
>>>> allow l2tpd_t self:unix_dgram_socket sendto;
>>>> allow l2tpd_t self:unix_stream_socket { accept listen };
>>>>
>>>> +allow l2tpd_t self:pppox_socket create;
>>>
>>> create_socket_perms probably eventually
>>
>> Maybe, but for the moment I think it's best to leave them like that. I had it
>> working fully only needing those accesses.
>>
>>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>>
>>>> type mysqld_t;
>>>>
>>>> ')
>>>>
>>>> - allow $1 mysqld_t:process signal;
>>>> + allow $1 mysqld_t:process { signull signal };
>>>
>>> create a new mysql_signull()
>>>
>>> by generalizing interfaces and putting them out of context youre
>>> shutting down doors for fine grained access control.
>>
>> OK, I'll drop that patch and add a mysql_signull() next time I see the need
>> for it (probably a week or two).
>>
>>>> optional_policy(`
>>>>
>>>> + dbus_send_system_bus(smbd_t)
>>>> + dbus_system_bus_client(smbd_t)
>>>
>>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>>> dbus_system_bus_client(smbd_t)
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>>
>>>> allow squid_t self:unix_dgram_socket sendto;
>>>> allow squid_t self:unix_stream_socket { accept connectto listen };
>>>> allow squid_t self:tcp_socket { accept listen };
>>>>
>>>> +allow squid_t self:netlink_netfilter_socket
>>>> all_netlink_netfilter_socket_perms;
>>>
>>> probably just create_socket_perms?
>>
>> OK.
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>
>>>> init_dbus_chat(sshd_t)
>>>> systemd_dbus_chat_logind(sshd_t)
>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>
>>>> + systemd_read_logind_sessions_files(sshd_t)
>>>
>>> This should probably be addressed on the lower authlogin level instead
>>
>> auth_login_pgm_domain()?
>
> I would consider adding it to auth_use_pam(). but its a good question.
>
>>
>> In another patch I have systemd_connect_machined(sshd_t) which I guess should
>> go in the same one too.
>
> Which patch was that? That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
>
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.
I meant /var/run/systemd/machines
>
>>
>>
>> Thanks for all the suggestions. I'll send an updated version shortly.
>>
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
@ 2021-01-22 2:24 ` Russell Coker
2021-01-22 7:02 ` Dominick Grift
1 sibling, 1 reply; 11+ messages in thread
From: Russell Coker @ 2021-01-22 2:24 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux-refpolicy
On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote:
> >>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> >>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> >>>
> >>> init_dbus_chat(sshd_t)
> >>> systemd_dbus_chat_logind(sshd_t)
> >>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
> >>>
> >>> + systemd_read_logind_sessions_files(sshd_t)
> >>
> >> This should probably be addressed on the lower authlogin level instead
> >
> > auth_login_pgm_domain()?
>
> I would consider adding it to auth_use_pam(). but its a good question.
>
> > In another patch I have systemd_connect_machined(sshd_t) which I guess
> > should go in the same one too.
>
> Which patch was that?
A patch I haven't sent to the list yet.
> That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
>
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.
I don't have the libnss-systemd or libnss-mymachines packages installed on the
machines that are giving this, /etc/nsswitch.conf hasn't been changed since
2018.
When I comment out the pam_systemd.so line from /etc/pam.d/common-session that
access isn't required. So it's a PAM thing.
+interface(`systemd_connect_machined',`
+ gen_require(`
+ type systemd_machined_t;
+ ')
+
+ allow $1 systemd_machined_t:unix_stream_socket connectto;
+')
Should I put this access in systemd_stream_connect_userdb()? The socket file
is /run/systemd/userdb/io.systemd.Machine and is labelled as
systemd_userdb_runtime_t.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-01-22 2:24 ` Russell Coker
@ 2021-01-22 7:02 ` Dominick Grift
0 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2021-01-22 7:02 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
On 1/22/21 3:24 AM, Russell Coker wrote:
> On Friday, 22 January 2021 12:35:42 AM AEDT Dominick Grift wrote:
>>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>>
>>>>> init_dbus_chat(sshd_t)
>>>>> systemd_dbus_chat_logind(sshd_t)
>>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>>
>>>>> + systemd_read_logind_sessions_files(sshd_t)
>>>>
>>>> This should probably be addressed on the lower authlogin level instead
>>>
>>> auth_login_pgm_domain()?
>>
>> I would consider adding it to auth_use_pam(). but its a good question.
>>
>>> In another patch I have systemd_connect_machined(sshd_t) which I guess
>>> should go in the same one too.
>>
>> Which patch was that?
>
> A patch I haven't sent to the list yet.
>
>> That does not look right if only that the name of
>> the interface isnt very descriptive (there is no way unix stream connect
>> or unix dgram sendto machined.
>>
>> So this is either about systemd's nss mymachines (in which case it
>> belongs in auth_use_nsswitch() or about reading systemd
>> /var/run/machines in which case the interface name is wrong.
>
> I don't have the libnss-systemd or libnss-mymachines packages installed on the
> machines that are giving this, /etc/nsswitch.conf hasn't been changed since
> 2018.
>
> When I comment out the pam_systemd.so line from /etc/pam.d/common-session that
> access isn't required. So it's a PAM thing.
>
> +interface(`systemd_connect_machined',`
> + gen_require(`
> + type systemd_machined_t;
> + ')
> +
> + allow $1 systemd_machined_t:unix_stream_socket connectto;
> +')
>
> Should I put this access in systemd_stream_connect_userdb()? The socket file
> is /run/systemd/userdb/io.systemd.Machine and is labelled as
> systemd_userdb_runtime_t.
>
I forgot about this functionality. From systemd-machined.service:
For each container registered with systemd-machined.service that
employs user namespacing, users/groups are synthesized for the
used UIDs/GIDs. These are made available to the system using the
User/Group Record Lookup API via Varlink[4], and thus may be
resolved with userdbctl(1) or the usual glibc NSS calls.
So this is "nss password/group" similar to DynamicUser.io I guess
What i did in my personal policy is create a
machined_unix_stream_connect_userdb (roughly):
https://git.defensec.nl/?p=dssp3.git;a=blob;f=policy/systemd/systemd_machine.cil;h=9ea214e7d124e2be4254e57c7bf78e09914db7bf;hb=HEAD#l72
and then call that in auth_use_nsswitch() optionally (because if you
dont have machined then you dont need this)
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2021-02-03 4:08 Russell Coker
@ 2021-02-03 18:06 ` Dominick Grift
0 siblings, 0 replies; 11+ messages in thread
From: Dominick Grift @ 2021-02-03 18:06 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> Lots of little patches for services.
>
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
> +++ refpolicy-2.20210203/policy/modules/services/accountsd.te
> @@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
> # Local policy
> #
>
> -allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
> -allow accountsd_t self:process signal;
> +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
> +allow accountsd_t self:process { signal getsched setsched };
> allow accountsd_t self:fifo_file rw_fifo_file_perms;
> allow accountsd_t self:passwd { rootok passwd chfn chsh };
>
> Index: refpolicy-2.20210203/policy/modules/services/acpi.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
> +++ refpolicy-2.20210203/policy/modules/services/acpi.te
> @@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
> #
>
> allow acpi_t self:capability { dac_override sys_admin };
> +# for pidof and pgrep
> +allow acpid_t self:cap_userns sys_ptrace;
>
> kernel_read_system_state(acpi_t)
>
> @@ -105,6 +107,7 @@ dev_rw_acpi_bios(acpid_t)
> dev_rw_sysfs(acpid_t)
> dev_dontaudit_getattr_all_chr_files(acpid_t)
> dev_dontaudit_getattr_all_blk_files(acpid_t)
> +dev_watch_dev_dirs(acpid_t)
>
> files_exec_etc_files(acpid_t)
> files_read_etc_runtime_files(acpid_t)
> @@ -136,6 +139,7 @@ domain_dontaudit_list_all_domains_state(
> auth_use_nsswitch(acpid_t)
>
> init_domtrans_script(acpid_t)
> +init_read_utmp(acpid_t)
> init_telinit(acpid_t)
>
> libs_exec_ld_so(acpid_t)
> @@ -218,6 +222,7 @@ optional_policy(`
>
> optional_policy(`
> init_list_unit_dirs(acpid_t)
> + systemd_dbus_chat_logind(acpid_t)
> systemd_start_power_units(acpid_t)
> systemd_status_power_units(acpid_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210203/policy/modules/services/apache.fc
> @@ -172,7 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/php[^/]+-fpm\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/php[^/]+-fpm\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210203/policy/modules/services/apache.te
> @@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> files_read_var_lib_files(httpd_t)
> +files_map_var_lib_files(httpd_t)
> files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
> @@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
>
> manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
>
> +kernel_read_system_state(aptcacher_t)
> kernel_read_vm_overcommit_sysctl(aptcacher_t)
>
> # Calls system()
> @@ -76,6 +77,7 @@ corenet_tcp_connect_http_port(aptcacher_
> auth_use_nsswitch(aptcacher_t)
>
> files_read_etc_files(aptcacher_t)
> +files_read_usr_files(aptcacher_t)
>
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
> Index: refpolicy-2.20210203/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210203/policy/modules/services/bind.te
> @@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
>
> allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
> dontaudit named_t self:capability sys_tty_config;
> -allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
> +allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
> allow named_t self:fifo_file rw_fifo_file_perms;
> allow named_t self:unix_stream_socket { accept listen };
> allow named_t self:tcp_socket { accept listen };
> @@ -212,9 +212,9 @@ optional_policy(`
> # NDC local policy
> #
>
> -allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability { dac_override dac_read_search net_admin };
> allow ndc_t self:capability2 block_suspend;
> -allow ndc_t self:process signal_perms;
> +allow ndc_t self:process { signal_perms getsched setsched };
> allow ndc_t self:fifo_file rw_fifo_file_perms;
> allow ndc_t self:unix_stream_socket { accept listen };
>
> Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
> +++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
> @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
> allow bluetooth_t self:unix_stream_socket { accept connectto listen };
> allow bluetooth_t self:tcp_socket { accept listen };
> allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
>
> read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
>
> @@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
>
> can_exec(bluetooth_t, bluetooth_helper_exec_t)
>
> +kernel_read_crypto_sysctls(bluetooth_t)
> kernel_read_kernel_sysctls(bluetooth_t)
> kernel_read_system_state(bluetooth_t)
> kernel_read_network_state(bluetooth_t)
> @@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
> miscfiles_read_fonts(bluetooth_t)
> miscfiles_read_hwdata(bluetooth_t)
>
> +udev_search_runtime(bluetooth_t)
> +
> userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
> userdom_dontaudit_use_user_terminals(bluetooth_t)
> userdom_dontaudit_search_user_home_dirs(bluetooth_t)
> @@ -210,5 +214,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(bluetooth_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20210203/policy/modules/services/boinc.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
> dev_read_rand(boinc_t)
> dev_read_urand(boinc_t)
> dev_read_sysfs(boinc_t)
> +dev_rw_dri(boinc_t)
> dev_rw_xserver_misc(boinc_t)
>
> domain_read_all_domains_state(boinc_t)
> Index: refpolicy-2.20210203/policy/modules/services/certbot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
> +++ refpolicy-2.20210203/policy/modules/services/certbot.te
> @@ -85,6 +85,8 @@ domain_use_interactive_fds(certbot_t)
> files_read_etc_files(certbot_t)
> files_read_usr_files(certbot_t)
>
> +# dontaudit for attempts to write python cache files
> +libs_dontaudit_write_lib_dirs(certbot_t)
> libs_exec_ldconfig(certbot_t)
> # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
> libs_exec_lib_files(certbot_t)
> Index: refpolicy-2.20210203/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20210203/policy/modules/services/clamav.te
> @@ -176,7 +176,7 @@ optional_policy(`
> # Freshclam local policy
> #
>
> -allow freshclam_t self:capability { dac_override setgid setuid };
> +allow freshclam_t self:capability { chown dac_override setgid setuid };
> allow freshclam_t self:fifo_file rw_fifo_file_perms;
> allow freshclam_t self:unix_stream_socket { accept listen };
> allow freshclam_t self:tcp_socket { accept listen };
> @@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
> domain_use_interactive_fds(freshclam_t)
>
> files_read_etc_runtime_files(freshclam_t)
> +files_read_usr_files(freshclam_t)
> files_search_var_lib(freshclam_t)
>
> auth_use_nsswitch(freshclam_t)
> Index: refpolicy-2.20210203/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210203/policy/modules/services/colord.te
> @@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
>
> allow colord_t self:capability { dac_override dac_read_search };
> dontaudit colord_t self:capability sys_admin;
> -allow colord_t self:process signal;
> +allow colord_t self:process { signal getsched setsched };
> allow colord_t self:fifo_file rw_fifo_file_perms;
> allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow colord_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210203/policy/modules/services/cron.te
> @@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
> kernel_read_irq_sysctls(system_cronjob_t)
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> +kernel_read_rpc_sysctls(system_cronjob_t)
> kernel_read_system_state(system_cronjob_t)
> kernel_read_software_raid_state(system_cronjob_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210203/policy/modules/services/cups.te
> @@ -5,6 +5,13 @@ policy_module(cups, 1.25.3)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allows legacy ld_so for old printer filters
> +## </p>
> +## </desc>
> +gen_tunable(cups_legacy_ldso, false)
> +
> type cupsd_config_t;
> type cupsd_config_exec_t;
> init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
> @@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
>
> manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> +manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
> files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
>
> @@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
>
> files_getattr_boot_dirs(cupsd_t)
> files_list_spool(cupsd_t)
> +files_map_etc_files(cupsd_t)
> files_read_etc_runtime_files(cupsd_t)
> files_read_usr_files(cupsd_t)
> files_exec_usr_files(cupsd_t)
> # for /var/lib/defoma
> files_read_var_lib_files(cupsd_t)
> +files_read_var_lib_symlinks(cupsd_t)
> files_list_world_readable(cupsd_t)
> files_read_world_readable_files(cupsd_t)
> files_read_world_readable_symlinks(cupsd_t)
> @@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
> userdom_manage_user_home_content_files(cups_pdf_t)
> userdom_home_filetrans_user_home_dir(cups_pdf_t)
>
> +tunable_policy(`cups_legacy_ldso',`
not sure if this is worth a tunable
> + libs_legacy_use_ld_so(cupsd_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(cups_pdf_t)
> fs_manage_nfs_files(cups_pdf_t)
> Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210203/policy/modules/services/devicekit.te
> @@ -67,7 +67,7 @@ optional_policy(`
>
> allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
> allow devicekit_disk_t self:capability2 wake_alarm;
> -allow devicekit_disk_t self:process { getsched signal_perms };
> +allow devicekit_disk_t self:process { getsched setsched signal_perms };
> allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> @@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
> mls_file_write_to_clearance(devicekit_disk_t)
>
> mount_rw_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files_reads(devicekit_disk_t)
>
> storage_raw_read_fixed_disk(devicekit_disk_t)
> storage_raw_write_fixed_disk(devicekit_disk_t)
> @@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
>
> logging_send_syslog_msg(devicekit_disk_t)
>
> +mount_watch_runtime_dirs(devicekit_disk_t)
> miscfiles_read_localization(devicekit_disk_t)
>
> userdom_read_all_users_state(devicekit_disk_t)
> @@ -210,7 +213,7 @@ optional_policy(`
>
> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
> allow devicekit_power_t self:capability2 wake_alarm;
> -allow devicekit_power_t self:process { getsched signal_perms };
> +allow devicekit_power_t self:process { getsched setsched signal_perms };
> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> allow devicekit_power_t self:unix_stream_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
> +++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
> @@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
> userdom_search_user_home_dirs(dirmngr_t)
> userdom_search_user_runtime(dirmngr_t)
> userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
>
> optional_policy(`
> gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> @@ -92,3 +93,7 @@ optional_policy(`
> gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> gpg_stream_connect_agent(dirmngr_t)
> ')
> +
> +optional_policy(`
> + corenet_tcp_connect_tor_port(dirmngr_t)
> +')
> Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20210203/policy/modules/services/dovecot.te
> @@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
>
> kernel_dontaudit_getattr_proc(dovecot_auth_t)
>
> +kernel_getattr_proc(dovecot_auth_t)
> +
> files_search_runtime(dovecot_auth_t)
> files_read_usr_files(dovecot_auth_t)
> files_read_var_lib_files(dovecot_auth_t)
> Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
> @@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_read_vm_overcommit_sysctl(fail2ban_t)
> kernel_search_fs_sysctls(fail2ban_t)
> +kernel_search_vm_sysctl(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -133,7 +135,7 @@ optional_policy(`
> #
>
> allow fail2ban_client_t self:capability dac_read_search;
> -allow fail2ban_client_t self:unix_stream_socket { create connect write read };
> +allow fail2ban_client_t self:unix_stream_socket { create connect
> write read shutdown };
create_socket_perms
>
> domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
> +++ refpolicy-2.20210203/policy/modules/services/ftp.fc
> @@ -1,4 +1,5 @@
> /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
> +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
>
> /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> @@ -22,8 +23,10 @@
> /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> +/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
>
> /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
>
> @@ -31,6 +34,7 @@
>
> /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/ftp.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
> +++ refpolicy-2.20210203/policy/modules/services/ftp.te
> @@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
> allow ftpd_t self:shm create_shm_perms;
> allow ftpd_t self:key manage_key_perms;
>
> +allow ftpd_t ftpd_etc_t:dir list_dir_perms;
> allow ftpd_t ftpd_etc_t:file read_file_perms;
>
> allow ftpd_t ftpd_keytab_t:file read_file_perms;
> @@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
>
> manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> +allow ftpd_t ftpd_runtime_t:file map;
> manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
>
> @@ -405,6 +407,13 @@ optional_policy(`
> seutil_sigchld_newrole(ftpd_t)
> ')
>
> +optional_policy(`
> + systemd_connect_machined(ftpd_t)
this is probably related to dynamic user resolving? we should probably
address this in auth_use_nsswitch()
> + systemd_dbus_chat_logind(ftpd_t)
> + systemd_read_logind_state(ftpd_t)
> + systemd_write_inherited_logind_sessions_pipes(ftpd_t)
This looks PAM related?
> +')
> +
> ########################################
> #
> # Ctl local policy
> Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
> +++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
> @@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
>
> auth_use_nsswitch(kerneloops_t)
>
> +logging_mmap_generic_logs(kerneloops_t)
> logging_send_syslog_msg(kerneloops_t)
> logging_read_generic_logs(kerneloops_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
> @@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
> #
>
> allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
> -allow modemmanager_t self:process { getsched signal };
> +allow modemmanager_t self:process { getsched setsched signal };
> allow modemmanager_t self:fifo_file rw_fifo_file_perms;
> allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
> allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210203/policy/modules/services/mon.te
> @@ -164,9 +164,10 @@ optional_policy(`
> #
>
> # sys_ptrace is for reading /proc/1/maps etc
> -allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> +allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
> +allow mon_local_test_t self:cap_userns sys_ptrace;
>
> can_exec(mon_local_test_t, mon_local_test_exec_t)
>
> @@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
> fs_search_auto_mountpoints(mon_local_test_t)
> fs_getattr_nfs(mon_local_test_t)
> fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_cgroup_dirs(mon_local_test_t)
> fs_list_hugetlbfs(mon_local_test_t)
> fs_list_tmpfs(mon_local_test_t)
> +fs_read_cgroup_files(mon_local_test_t)
> +fs_search_cgroup_dirs(mon_local_test_t)
> fs_search_nfs(mon_local_test_t)
>
> storage_getattr_fixed_disk_dev(mon_local_test_t)
> @@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
>
> auth_use_nsswitch(mon_local_test_t)
>
> +fsdaemon_read_lib(mon_local_test_t)
> init_getattr_initctl(mon_local_test_t)
>
> logging_send_syslog_msg(mon_local_test_t)
>
> miscfiles_read_generic_certs(mon_t)
> miscfiles_read_localization(mon_local_test_t)
> +storage_raw_read_fixed_disk(mon_local_test_t)
>
> sysnet_read_config(mon_local_test_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20210203/policy/modules/services/mta.if
> @@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
> manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> allow $1 mail_home_rw_t:file map;
> manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> + allow $1 mail_home_rw_t:dir watch;
> ')
>
> ########################################
> Index: refpolicy-2.20210203/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210203/policy/modules/services/mysql.te
> @@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
>
> allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> allow mysqld_t self:shm create_shm_perms;
> allow mysqld_t self:unix_stream_socket { connectto accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
> @@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
> files_read_usr_src_files(NetworkManager_t)
>
> fs_getattr_all_fs(NetworkManager_t)
> +fs_read_nsfs_files(NetworkManager_t)
> fs_search_auto_mountpoints(NetworkManager_t)
> fs_list_inotifyfs(NetworkManager_t)
>
> @@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
>
> auth_use_nsswitch(NetworkManager_t)
>
> +libs_watch_shared_libs_dir(NetworkManager_t)
> +
> logging_send_audit_msgs(NetworkManager_t)
> logging_send_syslog_msg(NetworkManager_t)
>
> @@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
> sysnet_search_dhcp_state(NetworkManager_t)
> sysnet_manage_config(NetworkManager_t)
> sysnet_etc_filetrans_config(NetworkManager_t)
> +sysnet_watch_config_dir(NetworkManager_t)
>
> # certificates in user home directories (cert_home_t in ~/\.pki)
> userdom_read_user_certs(NetworkManager_t)
> Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210203/policy/modules/services/openvpn.te
> @@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
>
> fs_getattr_all_fs(openvpn_t)
> fs_search_auto_mountpoints(openvpn_t)
> +fs_search_tmpfs(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20210203/policy/modules/services/policykit.te
> @@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
> rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
>
> manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
> +allow policykit_t policykit_var_lib_t:dir watch;
>
> manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> Index: refpolicy-2.20210203/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20210203/policy/modules/services/postfix.te
> @@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
> files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
>
> kernel_read_kernel_sysctls(postfix_map_t)
> +kernel_read_network_state(postfix_map_t)
> kernel_dontaudit_list_proc(postfix_map_t)
> kernel_dontaudit_read_system_state(postfix_map_t)
>
> @@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
>
> auth_use_nsswitch(postfix_map_t)
>
> +domain_use_interactive_fds(postfix_map_t)
> +
> logging_send_syslog_msg(postfix_map_t)
>
> miscfiles_read_localization(postfix_map_t)
>
> +userdom_use_user_ptys(postfix_map_t)
> +
> optional_policy(`
> locallogin_dontaudit_use_fds(postfix_map_t)
> ')
> @@ -745,12 +750,17 @@ allow postfix_showq_t postfix_spool_mail
> allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
>
> allow postfix_showq_t postfix_spool_t:file read_file_perms;
> +allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
>
> mcs_file_read_all(postfix_showq_t)
>
> term_use_all_ptys(postfix_showq_t)
> term_use_all_ttys(postfix_showq_t)
>
> +optional_policy(`
> + unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
> +')
> +
> ########################################
> #
> # Smtp delivery local policy
> Index: refpolicy-2.20210203/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210203/policy/modules/services/rpc.te
> @@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
>
> fs_rw_rpc_named_pipes(rpc_domain)
> fs_search_auto_mountpoints(rpc_domain)
> +fs_watch_rpc_pipefs_dir(rpc_domain)
>
> files_read_etc_runtime_files(rpc_domain)
> files_read_usr_files(rpc_domain)
> Index: refpolicy-2.20210203/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210203/policy/modules/services/samba.te
> @@ -619,7 +619,7 @@ allow smbcontrol_t self:unix_stream_sock
> allow smbcontrol_t self:process { signal signull };
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
> @@ -638,6 +638,7 @@ files_search_var_lib(smbcontrol_t)
> term_use_console(smbcontrol_t)
>
> init_use_fds(smbcontrol_t)
> +init_rw_inherited_stream_socket(smbcontrol_t)
I mentioned how this is common to children of systemd and systemd daemon
I think this is how journald catches the stdout so that it can log it
there is probably a more efficient way to address this on a lower level.
>
> miscfiles_read_localization(smbcontrol_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
> +++ refpolicy-2.20210203/policy/modules/services/sendmail.te
> @@ -173,6 +173,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + userdom_use_user_ttys(sendmail_t)
probably atleast inherited? ie is userdom_use_inherited_user_ttys() an
option here?
> postfix_domtrans_postdrop(sendmail_t)
> postfix_domtrans_master(sendmail_t)
> postfix_domtrans_postqueue(sendmail_t)
> Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
> +++ refpolicy-2.20210203/policy/modules/services/smartmon.if
> @@ -56,3 +56,24 @@ interface(`smartmon_admin',`
> files_list_var_lib($1)
> admin_pattern($1, fsdaemon_var_lib_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read fsdaemon /var/lib files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`fsdaemon_read_lib',`
> + gen_require(`
> + type fsdaemon_var_lib_t;
> + ')
> +
> + allow $1 fsdaemon_var_lib_t:dir search;
> + allow $1 fsdaemon_var_lib_t:file read_file_perms;
you can also use a pattern for this. this is exactly the scenario that
suits the use of a pattern
files_search_var_lib($1)
read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
> +')
> +
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
> ')
>
> optional_policy(`
> + cron_read_pipes(ssh_t)
> + cron_rw_tmp_files(ssh_t)
> +')
> +
> +optional_policy(`
> tunable_policy(`ssh_use_gpg_agent',`
> gpg_stream_connect_agent(ssh_t)
> ')
> @@ -269,6 +274,8 @@ ifdef(`distro_debian',`
> ifdef(`init_systemd',`
> auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> + # dynamic users
> + init_stream_connect(sshd_t)
probably best to address DynamicUsers.io in auth_use_nsswitch()?
> init_rw_stream_sockets(sshd_t)
> systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/virt.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
> +++ refpolicy-2.20210203/policy/modules/services/virt.fc
> @@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
> /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
> /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
>
> +/etc/qemu -d gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/qemu/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
> +
> /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
>
> /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/virt.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.te
> +++ refpolicy-2.20210203/policy/modules/services/virt.te
> @@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
> allow virt_bridgehelper_t self:tun_socket create_socket_perms;
> allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
>
> +allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
> +allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
> +
> manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
>
> kernel_read_network_state(virt_bridgehelper_t)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20210203/policy/modules/services/xserver.fc
> @@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
> /usr/bin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20210203/policy/modules/services/xserver.te
> @@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
> auth_use_nsswitch(xauth_t)
>
> userdom_use_user_terminals(xauth_t)
> +userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
> userdom_read_user_tmp_files(xauth_t)
>
> xserver_rw_xdm_tmp_files(xauth_t)
> Index: refpolicy-2.20210203/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20210203/policy/modules/system/mount.if
> @@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
>
> ########################################
> ## <summary>
> +## Watch mount runtime files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch mount runtime files reads.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files_reads',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch_reads;
> +')
> +
> +########################################
> +## <summary>
> ## Getattr on mount_runtime_t files
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210203/policy/modules/kernel/files.if
> @@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
>
> ########################################
> ## <summary>
> +## map generic files in /var/lib.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_map_var_lib_files',`
> + gen_require(`
> + type var_lib_t;
> + ')
> +
> + allow $1 var_lib_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Read generic symbolic links in /var/lib
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/system/libraries.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
> +++ refpolicy-2.20210203/policy/modules/system/libraries.if
> @@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
>
> relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
> ')
> +
> +########################################
> +## <summary>
> +## watch lib dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`libs_watch_shared_libs_dir',`
> + gen_require(`
> + type lib_t;
> + ')
> +
> + allow $1 lib_t:dir watch;
> +')
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> @@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
>
> #######################################
> ## <summary>
> +## Watch a network config dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_watch_config_dir',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + allow $1 net_conf_t:dir watch;
> +')
> +
> +#######################################
> +## <summary>
> ## Read the dhcp client pid file. (Deprecated)
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> @@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
>
> ########################################
> ## <summary>
> +## Get the attributes of binfmt_misc filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_getattr_binfmt_misc_fs',`
> + gen_require(`
> + type binfmt_misc_fs_t;
> + ')
> +
> + allow $1 binfmt_misc_fs_t:filesystem getattr;
> +
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of directories on
> ## binfmt_misc filesystems.
> ## </summary>
> @@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
> allow $1 rpc_pipefs_t:filesystem getattr;
> ')
>
> +########################################
> +## <summary>
> +## Watch a rpc pipefs dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_watch_rpc_pipefs_dir',`
> + gen_require(`
> + type rpc_pipefs_t;
> + ')
> +
> + allow $1 rpc_pipefs_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read and write RPC pipe filesystem named pipes.
> @@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
>
> typeattribute $1 filesystem_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Search bpf dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_search_bpf',`
> + gen_require(`
> + type bpf_t;
> + ')
> +
> + allow $1 bpf_t:dir search;
> +')
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] misc services patches
@ 2021-02-03 4:08 Russell Coker
2021-02-03 18:06 ` Dominick Grift
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2021-02-03 4:08 UTC (permalink / raw)
To: selinux-refpolicy
Lots of little patches for services.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
+++ refpolicy-2.20210203/policy/modules/services/accountsd.te
@@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
# Local policy
#
-allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
-allow accountsd_t self:process signal;
+allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
+allow accountsd_t self:process { signal getsched setsched };
allow accountsd_t self:fifo_file rw_fifo_file_perms;
allow accountsd_t self:passwd { rootok passwd chfn chsh };
Index: refpolicy-2.20210203/policy/modules/services/acpi.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
+++ refpolicy-2.20210203/policy/modules/services/acpi.te
@@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
#
allow acpi_t self:capability { dac_override sys_admin };
+# for pidof and pgrep
+allow acpid_t self:cap_userns sys_ptrace;
kernel_read_system_state(acpi_t)
@@ -105,6 +107,7 @@ dev_rw_acpi_bios(acpid_t)
dev_rw_sysfs(acpid_t)
dev_dontaudit_getattr_all_chr_files(acpid_t)
dev_dontaudit_getattr_all_blk_files(acpid_t)
+dev_watch_dev_dirs(acpid_t)
files_exec_etc_files(acpid_t)
files_read_etc_runtime_files(acpid_t)
@@ -136,6 +139,7 @@ domain_dontaudit_list_all_domains_state(
auth_use_nsswitch(acpid_t)
init_domtrans_script(acpid_t)
+init_read_utmp(acpid_t)
init_telinit(acpid_t)
libs_exec_ld_so(acpid_t)
@@ -218,6 +222,7 @@ optional_policy(`
optional_policy(`
init_list_unit_dirs(acpid_t)
+ systemd_dbus_chat_logind(acpid_t)
systemd_start_power_units(acpid_t)
systemd_status_power_units(acpid_t)
')
Index: refpolicy-2.20210203/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210203/policy/modules/services/apache.fc
@@ -172,7 +172,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
-/var/log/php[^/]+-fpm\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
+/var/log/php[^/]+-fpm\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210203/policy/modules/services/apache.te
@@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
files_read_var_lib_files(httpd_t)
+files_map_var_lib_files(httpd_t)
files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
@@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
+kernel_read_system_state(aptcacher_t)
kernel_read_vm_overcommit_sysctl(aptcacher_t)
# Calls system()
@@ -76,6 +77,7 @@ corenet_tcp_connect_http_port(aptcacher_
auth_use_nsswitch(aptcacher_t)
files_read_etc_files(aptcacher_t)
+files_read_usr_files(aptcacher_t)
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
Index: refpolicy-2.20210203/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210203/policy/modules/services/bind.te
@@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
dontaudit named_t self:capability sys_tty_config;
-allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
+allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
allow named_t self:fifo_file rw_fifo_file_perms;
allow named_t self:unix_stream_socket { accept listen };
allow named_t self:tcp_socket { accept listen };
@@ -212,9 +212,9 @@ optional_policy(`
# NDC local policy
#
-allow ndc_t self:capability { dac_override net_admin };
+allow ndc_t self:capability { dac_override dac_read_search net_admin };
allow ndc_t self:capability2 block_suspend;
-allow ndc_t self:process signal_perms;
+allow ndc_t self:process { signal_perms getsched setsched };
allow ndc_t self:fifo_file rw_fifo_file_perms;
allow ndc_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
+++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
@@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
allow bluetooth_t self:unix_stream_socket { accept connectto listen };
allow bluetooth_t self:tcp_socket { accept listen };
allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
+allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
@@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
can_exec(bluetooth_t, bluetooth_helper_exec_t)
+kernel_read_crypto_sysctls(bluetooth_t)
kernel_read_kernel_sysctls(bluetooth_t)
kernel_read_system_state(bluetooth_t)
kernel_read_network_state(bluetooth_t)
@@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
miscfiles_read_fonts(bluetooth_t)
miscfiles_read_hwdata(bluetooth_t)
+udev_search_runtime(bluetooth_t)
+
userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
userdom_dontaudit_use_user_terminals(bluetooth_t)
userdom_dontaudit_search_user_home_dirs(bluetooth_t)
@@ -210,5 +214,9 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(bluetooth_t)
+')
+
+optional_policy(`
xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
')
Index: refpolicy-2.20210203/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20210203/policy/modules/services/boinc.te
@@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
dev_read_rand(boinc_t)
dev_read_urand(boinc_t)
dev_read_sysfs(boinc_t)
+dev_rw_dri(boinc_t)
dev_rw_xserver_misc(boinc_t)
domain_read_all_domains_state(boinc_t)
Index: refpolicy-2.20210203/policy/modules/services/certbot.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
+++ refpolicy-2.20210203/policy/modules/services/certbot.te
@@ -85,6 +85,8 @@ domain_use_interactive_fds(certbot_t)
files_read_etc_files(certbot_t)
files_read_usr_files(certbot_t)
+# dontaudit for attempts to write python cache files
+libs_dontaudit_write_lib_dirs(certbot_t)
libs_exec_ldconfig(certbot_t)
# for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
libs_exec_lib_files(certbot_t)
Index: refpolicy-2.20210203/policy/modules/services/clamav.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
+++ refpolicy-2.20210203/policy/modules/services/clamav.te
@@ -176,7 +176,7 @@ optional_policy(`
# Freshclam local policy
#
-allow freshclam_t self:capability { dac_override setgid setuid };
+allow freshclam_t self:capability { chown dac_override setgid setuid };
allow freshclam_t self:fifo_file rw_fifo_file_perms;
allow freshclam_t self:unix_stream_socket { accept listen };
allow freshclam_t self:tcp_socket { accept listen };
@@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
domain_use_interactive_fds(freshclam_t)
files_read_etc_runtime_files(freshclam_t)
+files_read_usr_files(freshclam_t)
files_search_var_lib(freshclam_t)
auth_use_nsswitch(freshclam_t)
Index: refpolicy-2.20210203/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210203/policy/modules/services/colord.te
@@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
allow colord_t self:capability { dac_override dac_read_search };
dontaudit colord_t self:capability sys_admin;
-allow colord_t self:process signal;
+allow colord_t self:process { signal getsched setsched };
allow colord_t self:fifo_file rw_fifo_file_perms;
allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
allow colord_t self:tcp_socket { accept listen };
Index: refpolicy-2.20210203/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210203/policy/modules/services/cron.te
@@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
kernel_read_irq_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
+kernel_read_rpc_sysctls(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
kernel_read_software_raid_state(system_cronjob_t)
Index: refpolicy-2.20210203/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210203/policy/modules/services/cups.te
@@ -5,6 +5,13 @@ policy_module(cups, 1.25.3)
# Declarations
#
+## <desc>
+## <p>
+## Allows legacy ld_so for old printer filters
+## </p>
+## </desc>
+gen_tunable(cups_legacy_ldso, false)
+
type cupsd_config_t;
type cupsd_config_exec_t;
init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
@@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
+manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
@@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
files_getattr_boot_dirs(cupsd_t)
files_list_spool(cupsd_t)
+files_map_etc_files(cupsd_t)
files_read_etc_runtime_files(cupsd_t)
files_read_usr_files(cupsd_t)
files_exec_usr_files(cupsd_t)
# for /var/lib/defoma
files_read_var_lib_files(cupsd_t)
+files_read_var_lib_symlinks(cupsd_t)
files_list_world_readable(cupsd_t)
files_read_world_readable_files(cupsd_t)
files_read_world_readable_symlinks(cupsd_t)
@@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
userdom_manage_user_home_content_files(cups_pdf_t)
userdom_home_filetrans_user_home_dir(cups_pdf_t)
+tunable_policy(`cups_legacy_ldso',`
+ libs_legacy_use_ld_so(cupsd_t)
+')
+
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_dirs(cups_pdf_t)
fs_manage_nfs_files(cups_pdf_t)
Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210203/policy/modules/services/devicekit.te
@@ -67,7 +67,7 @@ optional_policy(`
allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
allow devicekit_disk_t self:capability2 wake_alarm;
-allow devicekit_disk_t self:process { getsched signal_perms };
+allow devicekit_disk_t self:process { getsched setsched signal_perms };
allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
@@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
mls_file_write_to_clearance(devicekit_disk_t)
mount_rw_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files(devicekit_disk_t)
+mount_watch_runtime_files_reads(devicekit_disk_t)
storage_raw_read_fixed_disk(devicekit_disk_t)
storage_raw_write_fixed_disk(devicekit_disk_t)
@@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
logging_send_syslog_msg(devicekit_disk_t)
+mount_watch_runtime_dirs(devicekit_disk_t)
miscfiles_read_localization(devicekit_disk_t)
userdom_read_all_users_state(devicekit_disk_t)
@@ -210,7 +213,7 @@ optional_policy(`
allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
allow devicekit_power_t self:capability2 wake_alarm;
-allow devicekit_power_t self:process { getsched signal_perms };
+allow devicekit_power_t self:process { getsched setsched signal_perms };
allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
allow devicekit_power_t self:unix_stream_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
+++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
@@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
userdom_search_user_home_dirs(dirmngr_t)
userdom_search_user_runtime(dirmngr_t)
userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
+allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
optional_policy(`
gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
@@ -92,3 +93,7 @@ optional_policy(`
gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
gpg_stream_connect_agent(dirmngr_t)
')
+
+optional_policy(`
+ corenet_tcp_connect_tor_port(dirmngr_t)
+')
Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
+++ refpolicy-2.20210203/policy/modules/services/dovecot.te
@@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
kernel_dontaudit_getattr_proc(dovecot_auth_t)
+kernel_getattr_proc(dovecot_auth_t)
+
files_search_runtime(dovecot_auth_t)
files_read_usr_files(dovecot_auth_t)
files_read_var_lib_files(dovecot_auth_t)
Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
@@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
kernel_read_system_state(fail2ban_t)
+kernel_read_vm_overcommit_sysctl(fail2ban_t)
kernel_search_fs_sysctls(fail2ban_t)
+kernel_search_vm_sysctl(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -133,7 +135,7 @@ optional_policy(`
#
allow fail2ban_client_t self:capability dac_read_search;
-allow fail2ban_client_t self:unix_stream_socket { create connect write read };
+allow fail2ban_client_t self:unix_stream_socket { create connect write read shutdown };
domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
+++ refpolicy-2.20210203/policy/modules/services/ftp.fc
@@ -1,4 +1,5 @@
/etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
+/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
/etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
@@ -22,8 +23,10 @@
/usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
/usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
+/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
-/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
+/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
/usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
@@ -31,6 +34,7 @@
/var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
+/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
/var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
/var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/ftp.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
+++ refpolicy-2.20210203/policy/modules/services/ftp.te
@@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
allow ftpd_t self:shm create_shm_perms;
allow ftpd_t self:key manage_key_perms;
+allow ftpd_t ftpd_etc_t:dir list_dir_perms;
allow ftpd_t ftpd_etc_t:file read_file_perms;
allow ftpd_t ftpd_keytab_t:file read_file_perms;
@@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
+allow ftpd_t ftpd_runtime_t:file map;
manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
@@ -405,6 +407,13 @@ optional_policy(`
seutil_sigchld_newrole(ftpd_t)
')
+optional_policy(`
+ systemd_connect_machined(ftpd_t)
+ systemd_dbus_chat_logind(ftpd_t)
+ systemd_read_logind_state(ftpd_t)
+ systemd_write_inherited_logind_sessions_pipes(ftpd_t)
+')
+
########################################
#
# Ctl local policy
Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
+++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
@@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
auth_use_nsswitch(kerneloops_t)
+logging_mmap_generic_logs(kerneloops_t)
logging_send_syslog_msg(kerneloops_t)
logging_read_generic_logs(kerneloops_t)
Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
+++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
@@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
#
allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
-allow modemmanager_t self:process { getsched signal };
+allow modemmanager_t self:process { getsched setsched signal };
allow modemmanager_t self:fifo_file rw_fifo_file_perms;
allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210203/policy/modules/services/mon.te
@@ -164,9 +164,10 @@ optional_policy(`
#
# sys_ptrace is for reading /proc/1/maps etc
-allow mon_local_test_t self:capability { sys_ptrace sys_admin };
+allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;
+allow mon_local_test_t self:cap_userns sys_ptrace;
can_exec(mon_local_test_t, mon_local_test_exec_t)
@@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
fs_search_auto_mountpoints(mon_local_test_t)
fs_getattr_nfs(mon_local_test_t)
fs_getattr_xattr_fs(mon_local_test_t)
+fs_list_cgroup_dirs(mon_local_test_t)
fs_list_hugetlbfs(mon_local_test_t)
fs_list_tmpfs(mon_local_test_t)
+fs_read_cgroup_files(mon_local_test_t)
+fs_search_cgroup_dirs(mon_local_test_t)
fs_search_nfs(mon_local_test_t)
storage_getattr_fixed_disk_dev(mon_local_test_t)
@@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
auth_use_nsswitch(mon_local_test_t)
+fsdaemon_read_lib(mon_local_test_t)
init_getattr_initctl(mon_local_test_t)
logging_send_syslog_msg(mon_local_test_t)
miscfiles_read_generic_certs(mon_t)
miscfiles_read_localization(mon_local_test_t)
+storage_raw_read_fixed_disk(mon_local_test_t)
sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20210203/policy/modules/services/mta.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mta.if
+++ refpolicy-2.20210203/policy/modules/services/mta.if
@@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
allow $1 mail_home_rw_t:file map;
manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
+ allow $1 mail_home_rw_t:dir watch;
')
########################################
Index: refpolicy-2.20210203/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210203/policy/modules/services/mysql.te
@@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
-allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
+allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
allow mysqld_t self:shm create_shm_perms;
allow mysqld_t self:unix_stream_socket { connectto accept listen };
Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
@@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
fs_getattr_all_fs(NetworkManager_t)
+fs_read_nsfs_files(NetworkManager_t)
fs_search_auto_mountpoints(NetworkManager_t)
fs_list_inotifyfs(NetworkManager_t)
@@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
auth_use_nsswitch(NetworkManager_t)
+libs_watch_shared_libs_dir(NetworkManager_t)
+
logging_send_audit_msgs(NetworkManager_t)
logging_send_syslog_msg(NetworkManager_t)
@@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
sysnet_search_dhcp_state(NetworkManager_t)
sysnet_manage_config(NetworkManager_t)
sysnet_etc_filetrans_config(NetworkManager_t)
+sysnet_watch_config_dir(NetworkManager_t)
# certificates in user home directories (cert_home_t in ~/\.pki)
userdom_read_user_certs(NetworkManager_t)
Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210203/policy/modules/services/openvpn.te
@@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
fs_getattr_all_fs(openvpn_t)
fs_search_auto_mountpoints(openvpn_t)
+fs_search_tmpfs(openvpn_t)
auth_use_pam(openvpn_t)
Index: refpolicy-2.20210203/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20210203/policy/modules/services/policykit.te
@@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
+allow policykit_t policykit_var_lib_t:dir watch;
manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
Index: refpolicy-2.20210203/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20210203/policy/modules/services/postfix.te
@@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
kernel_read_kernel_sysctls(postfix_map_t)
+kernel_read_network_state(postfix_map_t)
kernel_dontaudit_list_proc(postfix_map_t)
kernel_dontaudit_read_system_state(postfix_map_t)
@@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
auth_use_nsswitch(postfix_map_t)
+domain_use_interactive_fds(postfix_map_t)
+
logging_send_syslog_msg(postfix_map_t)
miscfiles_read_localization(postfix_map_t)
+userdom_use_user_ptys(postfix_map_t)
+
optional_policy(`
locallogin_dontaudit_use_fds(postfix_map_t)
')
@@ -745,12 +750,17 @@ allow postfix_showq_t postfix_spool_mail
allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
allow postfix_showq_t postfix_spool_t:file read_file_perms;
+allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
mcs_file_read_all(postfix_showq_t)
term_use_all_ptys(postfix_showq_t)
term_use_all_ttys(postfix_showq_t)
+optional_policy(`
+ unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
+')
+
########################################
#
# Smtp delivery local policy
Index: refpolicy-2.20210203/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210203/policy/modules/services/rpc.te
@@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
fs_rw_rpc_named_pipes(rpc_domain)
fs_search_auto_mountpoints(rpc_domain)
+fs_watch_rpc_pipefs_dir(rpc_domain)
files_read_etc_runtime_files(rpc_domain)
files_read_usr_files(rpc_domain)
Index: refpolicy-2.20210203/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210203/policy/modules/services/samba.te
@@ -619,7 +619,7 @@ allow smbcontrol_t self:unix_stream_sock
allow smbcontrol_t self:process { signal signull };
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
-read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
@@ -638,6 +638,7 @@ files_search_var_lib(smbcontrol_t)
term_use_console(smbcontrol_t)
init_use_fds(smbcontrol_t)
+init_rw_inherited_stream_socket(smbcontrol_t)
miscfiles_read_localization(smbcontrol_t)
Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
+++ refpolicy-2.20210203/policy/modules/services/sendmail.te
@@ -173,6 +173,7 @@ optional_policy(`
')
optional_policy(`
+ userdom_use_user_ttys(sendmail_t)
postfix_domtrans_postdrop(sendmail_t)
postfix_domtrans_master(sendmail_t)
postfix_domtrans_postqueue(sendmail_t)
Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
+++ refpolicy-2.20210203/policy/modules/services/smartmon.if
@@ -56,3 +56,24 @@ interface(`smartmon_admin',`
files_list_var_lib($1)
admin_pattern($1, fsdaemon_var_lib_t)
')
+
+########################################
+## <summary>
+## Read fsdaemon /var/lib files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <rolecap/>
+#
+interface(`fsdaemon_read_lib',`
+ gen_require(`
+ type fsdaemon_var_lib_t;
+ ')
+
+ allow $1 fsdaemon_var_lib_t:dir search;
+ allow $1 fsdaemon_var_lib_t:file read_file_perms;
+')
+
Index: refpolicy-2.20210203/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20210203/policy/modules/services/ssh.te
@@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
')
optional_policy(`
+ cron_read_pipes(ssh_t)
+ cron_rw_tmp_files(ssh_t)
+')
+
+optional_policy(`
tunable_policy(`ssh_use_gpg_agent',`
gpg_stream_connect_agent(ssh_t)
')
@@ -269,6 +274,8 @@ ifdef(`distro_debian',`
ifdef(`init_systemd',`
auth_use_pam_systemd(sshd_t)
init_dbus_chat(sshd_t)
+ # dynamic users
+ init_stream_connect(sshd_t)
init_rw_stream_sockets(sshd_t)
systemd_write_inherited_logind_sessions_pipes(sshd_t)
')
Index: refpolicy-2.20210203/policy/modules/services/virt.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
+++ refpolicy-2.20210203/policy/modules/services/virt.fc
@@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
/etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
/etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
+/etc/qemu -d gen_context(system_u:object_r:virt_etc_t,s0)
+/etc/qemu/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
+
/etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
/etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/virt.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/virt.te
+++ refpolicy-2.20210203/policy/modules/services/virt.te
@@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
allow virt_bridgehelper_t self:tun_socket create_socket_perms;
allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
+allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
+allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
+
manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
kernel_read_network_state(virt_bridgehelper_t)
Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
+++ refpolicy-2.20210203/policy/modules/services/xserver.fc
@@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
/usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
+/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
/usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
/usr/bin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20210203/policy/modules/services/xserver.te
@@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
auth_use_nsswitch(xauth_t)
userdom_use_user_terminals(xauth_t)
+userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
userdom_read_user_tmp_files(xauth_t)
xserver_rw_xdm_tmp_files(xauth_t)
Index: refpolicy-2.20210203/policy/modules/system/mount.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.if
+++ refpolicy-2.20210203/policy/modules/system/mount.if
@@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
########################################
## <summary>
+## Watch mount runtime files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:file watch;
+')
+
+########################################
+## <summary>
+## Watch mount runtime files reads.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mount_watch_runtime_files_reads',`
+ gen_require(`
+ type mount_runtime_t;
+ ')
+
+ allow $1 mount_runtime_t:file watch_reads;
+')
+
+########################################
+## <summary>
## Getattr on mount_runtime_t files
## </summary>
## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20210203/policy/modules/kernel/files.if
@@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
########################################
## <summary>
+## map generic files in /var/lib.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`files_map_var_lib_files',`
+ gen_require(`
+ type var_lib_t;
+ ')
+
+ allow $1 var_lib_t:file map;
+')
+
+########################################
+## <summary>
## Read generic symbolic links in /var/lib
## </summary>
## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/system/libraries.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
+++ refpolicy-2.20210203/policy/modules/system/libraries.if
@@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
')
+
+########################################
+## <summary>
+## watch lib dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`libs_watch_shared_libs_dir',`
+ gen_require(`
+ type lib_t;
+ ')
+
+ allow $1 lib_t:dir watch;
+')
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
@@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
#######################################
## <summary>
+## Watch a network config dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_watch_config_dir',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ allow $1 net_conf_t:dir watch;
+')
+
+#######################################
+## <summary>
## Read the dhcp client pid file. (Deprecated)
## </summary>
## <param name="domain">
Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
+++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
@@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
########################################
## <summary>
+## Get the attributes of binfmt_misc filesystems.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_getattr_binfmt_misc_fs',`
+ gen_require(`
+ type binfmt_misc_fs_t;
+ ')
+
+ allow $1 binfmt_misc_fs_t:filesystem getattr;
+
+')
+
+########################################
+## <summary>
## Get the attributes of directories on
## binfmt_misc filesystems.
## </summary>
@@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
allow $1 rpc_pipefs_t:filesystem getattr;
')
+########################################
+## <summary>
+## Watch a rpc pipefs dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_watch_rpc_pipefs_dir',`
+ gen_require(`
+ type rpc_pipefs_t;
+ ')
+
+ allow $1 rpc_pipefs_t:dir watch;
+')
+
#########################################
## <summary>
## Read and write RPC pipe filesystem named pipes.
@@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
typeattribute $1 filesystem_unconfined_type;
')
+
+########################################
+## <summary>
+## Search bpf dirs
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`fs_search_bpf',`
+ gen_require(`
+ type bpf_t;
+ ')
+
+ allow $1 bpf_t:dir search;
+')
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: [PATCH] misc services patches
2019-01-04 7:33 Russell Coker
@ 2019-01-05 18:34 ` Chris PeBenito
0 siblings, 0 replies; 11+ messages in thread
From: Chris PeBenito @ 2019-01-05 18:34 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 1/4/19 2:33 AM, Russell Coker wrote:
> Lots of little patches to services.
>
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
> # Local policy
> #
>
> -allow boinc_t self:process { setsched setpgid signull sigkill };
> +allow boinc_t self:process { setsched setpgid signull sigkill signal };
> allow boinc_t self:unix_stream_socket { accept listen };
> allow boinc_t self:tcp_socket { accept listen };
> allow boinc_t self:shm create_shm_perms;
> @@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
>
> can_exec(boinc_t, boinc_var_lib_t)
> libs_exec_lib_files(boinc_t)
> +# for mmap of ld.so.cache
> +libs_legacy_use_ld_so(boinc_t)
>
> domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>
> kernel_read_system_state(boinc_t)
> kernel_search_vm_sysctl(boinc_t)
> kernel_read_crypto_sysctls(boinc_t)
> +kernel_read_kernel_sysctls(boinc_t)
>
> corenet_all_recvfrom_unlabeled(boinc_t)
> corenet_all_recvfrom_netlabel(boinc_t)
> @@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
> logging_send_syslog_msg(boinc_t)
>
> miscfiles_read_fonts(boinc_t)
> +miscfiles_read_generic_certs(boinc_t)
> miscfiles_read_localization(boinc_t)
>
> tunable_policy(`boinc_execmem',`
> @@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
> userdom_getattr_user_ttys(boinc_t)
>
> optional_policy(`
> + # for lsb_release -a
> + apt_read_cache(boinc_t)
> + apt_read_db(boinc_t)
> + dpkg_exec(boinc_t)
> + dpkg_read_db(boinc_t)
> +
> + apt_read_cache(boinc_project_t)
> + apt_read_db(boinc_project_t)
> + dpkg_exec(boinc_project_t)
> + dpkg_read_db(boinc_project_t)
> +')
> +
> +optional_policy(`
> java_exec(boinc_project_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> # Local policy
> #
>
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> allow consolekit_t self:process { getsched signal setfscreate };
> allow consolekit_t self:fifo_file rw_fifo_file_perms;
> allow consolekit_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
> kernel_read_system_state(devicekit_t)
>
> dev_read_sysfs(devicekit_t)
> +dev_read_rand(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> Index: refpolicy-2.20180701/policy/modules/services/dictd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
> +++ refpolicy-2.20180701/policy/modules/services/dictd.te
> @@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
> userdom_dontaudit_use_unpriv_user_fds(dictd_t)
>
> optional_policy(`
> + dbus_system_bus_client(dictd_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(dictd_t)
> ')
>
> Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
> +++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
>
> files_read_etc_runtime_files(fetchmail_t)
> +files_read_usr_files(fetchmail_t)
> files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
> @@ -5,3 +5,4 @@
> /usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
>
> /run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
> +/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.te
> @@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
> allow gdomap_t self:tcp_socket { listen accept };
>
> allow gdomap_t gdomap_var_run_t:file manage_file_perms;
> +# gdomap_var_run_t dir is for chroot
> +allow gdomap_t gdomap_var_run_t:dir search;
> files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
>
> corenet_sendrecv_gdomap_server_packets(gdomap_t)
> @@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
> auth_use_nsswitch(gdomap_t)
>
> logging_send_syslog_msg(gdomap_t)
> +
> +miscfiles_read_localization(gdomap_t)
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
>
> fs_getattr_all_fs(irqbalance_t)
> fs_search_auto_mountpoints(irqbalance_t)
> +fs_search_tmpfs(irqbalance_t)
>
> domain_use_interactive_fds(irqbalance_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20180701/policy/modules/services/jabber.te
> @@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
> allow jabberd_domain self:tcp_socket { accept listen };
>
> manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
> +allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
>
> kernel_read_system_state(jabberd_domain)
>
> @@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
> corenet_tcp_sendrecv_generic_if(jabberd_domain)
> corenet_tcp_sendrecv_generic_node(jabberd_domain)
> corenet_tcp_bind_generic_node(jabberd_domain)
> +corenet_udp_bind_generic_node(jabberd_domain)
>
> dev_read_urand(jabberd_domain)
> dev_read_sysfs(jabberd_domain)
> Index: refpolicy-2.20180701/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20180701/policy/modules/services/mon.te
> @@ -161,6 +161,7 @@ optional_policy(`
>
> allow mon_local_test_t self:capability sys_admin;
> allow mon_local_test_t self:fifo_file rw_file_perms;
> +allow mon_local_test_t self:process getsched;
>
> can_exec(mon_local_test_t, mon_local_test_exec_t)
>
> @@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
>
> kernel_dontaudit_getattr_core_if(mon_local_test_t)
> kernel_getattr_proc(mon_local_test_t)
> +# for ps
> +kernel_read_kernel_sysctls(mon_local_test_t)
> kernel_read_software_raid_state(mon_local_test_t)
> kernel_read_system_state(mon_local_test_t)
>
> @@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
>
> logging_send_syslog_msg(mon_local_test_t)
>
> +miscfiles_read_generic_certs(mon_t)
> miscfiles_read_localization(mon_local_test_t)
>
> sysnet_read_config(mon_local_test_t)
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> allow NetworkManager_t self:packet_socket create_socket_perms;
> allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
>
> allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
>
> Index: refpolicy-2.20180701/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20180701/policy/modules/services/policykit.te
> @@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
>
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
> + init_dbus_chat(policykit_t)
>
> userdom_dbus_send_all_users(policykit_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> @@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
> manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
> manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>
> +optional_policy(`
> + init_dbus_chat(postfix_bounce_t)
> +')
> +
> ########################################
> #
> # Cleanup local policy
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -248,6 +248,9 @@ optional_policy(`
> # sshd_t is the domain for the sshd program.
> #
>
> +# for /run/user/UID/bus access, probably pam_systemd.so
> +allow sshd_t self:capability dac_read_search;
> +
> # so a tunnel can point to another ssh tunnel
> allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> allow sshd_t self:key { search link write };
> Index: refpolicy-2.20180701/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20180701/policy/modules/services/tor.te
> @@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
> corenet_tcp_sendrecv_all_reserved_ports(tor_t)
>
> dev_read_sysfs(tor_t)
> +dev_read_rand(tor_t)
> dev_read_urand(tor_t)
>
> domain_use_interactive_fds(tor_t)
> @@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
>
> logging_send_syslog_msg(tor_t)
>
> +miscfiles_read_generic_certs(tor_t)
> miscfiles_read_localization(tor_t)
>
> tunable_policy(`tor_bind_all_unreserved_ports',`
Merged.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 11+ messages in thread
* [PATCH] misc services patches
@ 2019-01-04 7:33 Russell Coker
2019-01-05 18:34 ` Chris PeBenito
0 siblings, 1 reply; 11+ messages in thread
From: Russell Coker @ 2019-01-04 7:33 UTC (permalink / raw)
To: selinux-refpolicy
Lots of little patches to services.
Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
# Local policy
#
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
allow boinc_t self:unix_stream_socket { accept listen };
allow boinc_t self:tcp_socket { accept listen };
allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
can_exec(boinc_t, boinc_var_lib_t)
libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
kernel_read_system_state(boinc_t)
kernel_search_vm_sysctl(boinc_t)
kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
corenet_all_recvfrom_unlabeled(boinc_t)
corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
logging_send_syslog_msg(boinc_t)
miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
miscfiles_read_localization(boinc_t)
tunable_policy(`boinc_execmem',`
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
userdom_getattr_user_ttys(boinc_t)
optional_policy(`
+ # for lsb_release -a
+ apt_read_cache(boinc_t)
+ apt_read_db(boinc_t)
+ dpkg_exec(boinc_t)
+ dpkg_read_db(boinc_t)
+
+ apt_read_cache(boinc_project_t)
+ apt_read_db(boinc_project_t)
+ dpkg_exec(boinc_project_t)
+ dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
java_exec(boinc_project_t)
')
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
# Local policy
#
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
allow consolekit_t self:process { getsched signal setfscreate };
allow consolekit_t self:fifo_file rw_fifo_file_perms;
allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
+ dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
dev_read_urand(fetchmail_t)
files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
files_search_tmp(fetchmail_t)
files_dontaudit_search_home(fetchmail_t)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
/usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
/run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
allow gdomap_t self:tcp_socket { listen accept };
allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
auth_use_nsswitch(gdomap_t)
logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
fs_getattr_all_fs(irqbalance_t)
fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
domain_use_interactive_fds(irqbalance_t)
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
allow jabberd_domain self:tcp_socket { accept listen };
manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
kernel_read_system_state(jabberd_domain)
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
corenet_tcp_sendrecv_generic_if(jabberd_domain)
corenet_tcp_sendrecv_generic_node(jabberd_domain)
corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
dev_read_urand(jabberd_domain)
dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
allow mon_local_test_t self:capability sys_admin;
allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
can_exec(mon_local_test_t, mon_local_test_exec_t)
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
kernel_dontaudit_getattr_core_if(mon_local_test_t)
kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
kernel_read_software_raid_state(mon_local_test_t)
kernel_read_system_state(mon_local_test_t)
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
logging_send_syslog_msg(mon_local_test_t)
+miscfiles_read_generic_certs(mon_t)
miscfiles_read_localization(mon_local_test_t)
sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
userdom_dbus_send_all_users(policykit_t)
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+optional_policy(`
+ init_dbus_chat(postfix_bounce_t)
+')
+
########################################
#
# Cleanup local policy
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
# sshd_t is the domain for the sshd program.
#
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
# so a tunnel can point to another ssh tunnel
allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
+miscfiles_read_generic_certs(tor_t)
miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports',`
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2021-02-03 18:08 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-20 10:08 [PATCH] misc services patches Russell Coker
2021-01-20 14:53 ` Dominick Grift
2021-01-21 13:25 ` Russell Coker
2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
2021-01-22 7:02 ` Dominick Grift
-- strict thread matches above, loose matches on Subject: below --
2021-02-03 4:08 Russell Coker
2021-02-03 18:06 ` Dominick Grift
2019-01-04 7:33 Russell Coker
2019-01-05 18:34 ` Chris PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.