* [PATCH] little misc patches
@ 2021-02-03 4:10 Russell Coker
2021-02-03 17:50 ` Dominick Grift
0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2021-02-03 4:10 UTC (permalink / raw)
To: selinux-refpolicy
More little misc patches.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210203/policy/modules/admin/acct.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
+++ refpolicy-2.20210203/policy/modules/admin/acct.te
@@ -57,6 +57,7 @@ init_use_fds(acct_t)
init_use_script_ptys(acct_t)
init_exec_script_files(acct_t)
+logging_search_logs(acct_t)
logging_send_syslog_msg(acct_t)
miscfiles_read_localization(acct_t)
Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
@@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
allow bootloader_t self:process { signal_perms execmem };
allow bootloader_t self:fifo_file rw_fifo_file_perms;
+allow bootloader_t self:netlink_selinux_socket connected_socket_perms;
allow bootloader_t bootloader_etc_t:file read_file_perms;
# uncomment the following lines if you use "lilo -p"
@@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
kernel_getattr_core_if(bootloader_t)
+kernel_read_crypto_sysctls(bootloader_t)
kernel_read_network_state(bootloader_t)
kernel_read_system_state(bootloader_t)
kernel_read_software_raid_state(bootloader_t)
@@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t
mount_rw_runtime_files(bootloader_t)
+selinux_get_enforce_mode(bootloader_t)
selinux_getattr_fs(bootloader_t)
+selinux_search_fs(bootloader_t)
+selinux_use_status_page(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_config(bootloader_t)
seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
+++ refpolicy-2.20210203/policy/modules/admin/brctl.te
@@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
# Local policy
#
-allow brctl_t self:capability net_admin;
+allow brctl_t self:capability { net_admin sys_module };
allow brctl_t self:fifo_file rw_fifo_file_perms;
allow brctl_t self:unix_stream_socket create_stream_socket_perms;
allow brctl_t self:unix_dgram_socket create_socket_perms;
Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
@@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
init_stream_connect(logrotate_t)
init_manage_all_units(logrotate_t)
+libs_exec_lib_files(logrotate_t)
+
logging_manage_all_logs(logrotate_t)
logging_send_syslog_msg(logrotate_t)
logging_send_audit_msgs(logrotate_t)
Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
+++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
@@ -1,3 +1,4 @@
/usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
+/usr/bin/cdrskin -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
/usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
/usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
Index: refpolicy-2.20210203/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210203/policy/modules/apps/games.te
@@ -92,7 +92,9 @@ optional_policy(`
allow games_t self:fifo_file rw_fifo_file_perms;
allow games_t self:sem create_sem_perms;
allow games_t self:tcp_socket { accept listen };
+allow games_t self:process getsched;
+manage_dirs_pattern(games_t, games_data_t, games_data_t)
manage_files_pattern(games_t, games_data_t, games_data_t)
manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
@@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
+allow games_t games_tmp_t:file map;
+
files_tmp_filetrans(games_t, games_tmp_t, { file dir })
manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
@@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
corenet_sendrecv_generic_client_packets(games_t)
corenet_tcp_connect_generic_port(games_t)
+corenet_udp_bind_generic_node(games_t)
+
dev_read_sound(games_t)
dev_read_input(games_t)
dev_read_mouse(games_t)
@@ -136,13 +142,16 @@ dev_rw_dri(games_t)
dev_write_sound(games_t)
files_list_var(games_t)
+files_search_mnt(games_t)
files_search_var_lib(games_t)
files_dontaudit_search_var(games_t)
+files_map_usr_files(games_t)
files_read_etc_files(games_t)
files_read_usr_files(games_t)
files_read_var_files(games_t)
fs_dontaudit_getattr_xattr_fs(games_t)
+fs_search_nfs(games_t)
init_dontaudit_rw_utmp(games_t)
@@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
userdom_manage_user_tmp_files(games_t)
userdom_manage_user_tmp_symlinks(games_t)
userdom_manage_user_tmp_sockets(games_t)
+userdom_use_user_ptys(games_t)
userdom_dontaudit_read_user_home_content_files(games_t)
tunable_policy(`allow_execmem',`
@@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
optional_policy(`
alsa_read_config(games_t)
+ alsa_read_home_files(games_t)
')
optional_policy(`
Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
+++ refpolicy-2.20210203/policy/modules/apps/gpg.te
@@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
miscfiles_read_localization(gpg_t)
userdom_use_user_terminals(gpg_t)
+userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
userdom_manage_user_tmp_dirs(gpg_t)
userdom_manage_user_tmp_files(gpg_t)
Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
+++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
@@ -137,6 +137,7 @@ ifdef(`distro_suse', `
/dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0)
+/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0)
/dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
/dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
/dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
@@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
allow sysadm_t self:capability audit_write;
allow sysadm_t self:system status;
+kernel_request_load_module(sysadm_t)
+
corecmd_exec_shell(sysadm_t)
corenet_ib_access_unlabeled_pkeys(sysadm_t)
@@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_admin(sysadm_t)
+init_rw_stream_sockets(sysadm_t)
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
@@ -29,6 +29,10 @@ optional_policy(`
')
optional_policy(`
+ ssh_role_template(user, user_r, user_t)
+')
+
+optional_policy(`
vlock_run(user_t, user_r)
')
@@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
')
optional_policy(`
- ssh_role_template(user, user_r, user_t)
- ')
-
- optional_policy(`
su_role_template(user, user_r, user_t)
')
Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
+++ refpolicy-2.20210203/policy/modules/system/authlogin.te
@@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
logging_search_logs(utempter_t)
+term_use_ptmx(utempter_t)
+
userdom_use_user_terminals(utempter_t)
# Allow utemper to write to /tmp/.xses-*
userdom_write_user_tmp_files(utempter_t)
@@ -406,6 +408,7 @@ optional_policy(`
optional_policy(`
xserver_use_xdm_fds(utempter_t)
xserver_rw_xdm_pipes(utempter_t)
+ xserver_write_inherited_xsession_log(utempter_t)
')
#######################################
Index: refpolicy-2.20210203/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.if
+++ refpolicy-2.20210203/policy/modules/system/init.if
@@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
allow $1 { init_script_file_type systemdunit }:service reload;
')
+#######################################
+## <summary>
+## getattr all systemd unit files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_getattr_all_units',`
+ gen_require(`
+ attribute systemdunit;
+ ')
+
+ allow $1 systemdunit:file getattr;
+')
+
########################################
## <summary>
## Manage systemd unit dirs and the files in them
Index: refpolicy-2.20210203/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/init.te
+++ refpolicy-2.20210203/policy/modules/system/init.te
@@ -244,7 +244,6 @@ ifdef(`init_systemd',`
allow init_t self:udp_socket create_socket_perms;
allow init_t self:netlink_route_socket create_netlink_socket_perms;
allow init_t initrc_t:unix_dgram_socket create_socket_perms;
- allow init_t self:capability2 audit_read;
allow init_t self:key { search setattr write };
allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
@@ -262,7 +261,7 @@ ifdef(`init_systemd',`
# setexec and setkeycreate for systemd --user
allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
- allow init_t self:capability2 { audit_read block_suspend };
+ allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
allow init_t self:unix_dgram_socket lock;
@@ -428,6 +427,7 @@ ifdef(`init_systemd',`
miscfiles_watch_localization(init_t)
mount_watch_runtime_dirs(init_t)
+ mount_watch_runtime_files_reads(init_t)
# systemd_socket_activated policy
mls_socket_write_all_levels(init_t)
Index: refpolicy-2.20210203/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/logging.te
+++ refpolicy-2.20210203/policy/modules/system/logging.te
@@ -510,6 +510,7 @@ seutil_read_config(syslogd_t)
userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
userdom_dontaudit_search_user_home_dirs(syslogd_t)
+userdom_search_user_runtime_root(syslogd_t)
ifdef(`init_systemd',`
# for systemd-journal
@@ -549,6 +550,8 @@ ifdef(`init_systemd',`
systemd_manage_journal_files(syslogd_t)
udev_read_runtime_files(syslogd_t)
+ userdom_list_user_tmp(syslogd_t)
+ userdom_read_user_tmp_symlinks(syslogd_t)
')
ifdef(`distro_gentoo',`
Index: refpolicy-2.20210203/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20210203/policy/modules/system/lvm.te
@@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t)
files_list_usr(clvmd_t)
fs_getattr_all_fs(clvmd_t)
+fs_getattr_pstore_dirs(lvm_t)
fs_search_auto_mountpoints(clvmd_t)
+fs_search_cgroup_dirs(lvm_t)
fs_dontaudit_list_tmpfs(clvmd_t)
fs_dontaudit_read_removable_files(clvmd_t)
fs_rw_anon_inodefs_files(clvmd_t)
+fs_search_bpf(lvm_t)
storage_dontaudit_getattr_removable_dev(clvmd_t)
storage_manage_fixed_disk(clvmd_t)
@@ -167,7 +170,6 @@ optional_policy(`
allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
dontaudit lvm_t self:capability sys_tty_config;
allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
-# LVM will complain a lot if it cannot set its priority.
allow lvm_t self:process setsched;
allow lvm_t self:file rw_file_perms;
allow lvm_t self:fifo_file manage_fifo_file_perms;
@@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t)
storage_relabel_fixed_disk(lvm_t)
storage_dontaudit_read_removable_device(lvm_t)
+storage_getattr_removable_dev(lvm_t)
+
# LVM creates block devices in /dev/mapper or /dev/<vg>
# depending on its version
# LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
Index: refpolicy-2.20210203/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20210203/policy/modules/system/modutils.te
@@ -34,6 +34,7 @@ ifdef(`init_systemd',`
#
allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
+allow kmod_t self:lockdown confidentiality;
allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
# for the radeon/amdgpu modules
dontaudit kmod_t self:capability sys_admin;
Index: refpolicy-2.20210203/policy/modules/system/mount.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/mount.te
+++ refpolicy-2.20210203/policy/modules/system/mount.te
@@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
files_dontaudit_write_all_mountpoints(mount_t)
files_dontaudit_setattr_all_mountpoints(mount_t)
+fs_getattr_binfmt_misc_fs(mount_t)
fs_getattr_xattr_fs(mount_t)
fs_getattr_tmpfs(mount_t)
fs_getattr_rpc_pipefs(mount_t)
fs_getattr_cifs(mount_t)
fs_getattr_nfs(mount_t)
fs_mount_all_fs(mount_t)
+fs_manage_tmpfs_dirs(mount_t)
fs_unmount_all_fs(mount_t)
fs_remount_all_fs(mount_t)
fs_relabelfrom_all_fs(mount_t)
Index: refpolicy-2.20210203/policy/modules/system/raid.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/raid.te
+++ refpolicy-2.20210203/policy/modules/system/raid.te
@@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
files_read_etc_files(mdadm_t)
files_read_etc_runtime_files(mdadm_t)
files_dontaudit_getattr_all_files(mdadm_t)
+files_search_tmp(mdadm_t)
fs_getattr_all_fs(mdadm_t)
fs_list_auto_mountpoints(mdadm_t)
Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
@@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
fs_getattr_pstorefs(restorecond_t)
+logging_watch_generic_logs_dir(restorecond_t)
+
selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
selinux_compute_create_context(restorecond_t)
selinux_compute_relabel_context(restorecond_t)
selinux_compute_user_contexts(restorecond_t)
+seutil_read_file_contexts(restorecond_t)
files_relabel_non_auth_files(restorecond_t )
files_dontaudit_read_all_symlinks(restorecond_t)
+files_watch_etc_dirs(restorecond_t)
+files_watch_runtime_dirs(restorecond_t)
auth_use_nsswitch(restorecond_t)
logging_send_syslog_msg(restorecond_t)
@@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
# the failed access to the current directory
dontaudit run_init_t self:capability { dac_override dac_read_search };
+kernel_getattr_proc(run_init_t)
+
corecmd_exec_bin(run_init_t)
corecmd_exec_shell(run_init_t)
@@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c
allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
allow setfiles_t file_context_t:file map;
+kernel_read_kernel_sysctls(setfiles_t)
kernel_read_system_state(setfiles_t)
kernel_relabelfrom_unlabeled_dirs(setfiles_t)
kernel_relabelfrom_unlabeled_files(setfiles_t)
Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
@@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
# for access("/etc/bashrc", X_OK) on Red Hat
dontaudit dhcpc_t self:capability { dac_read_search sys_module };
-allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
+allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
allow dhcpc_t self:fifo_file rw_fifo_file_perms;
allow dhcpc_t self:tcp_socket create_stream_socket_perms;
Index: refpolicy-2.20210203/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/udev.te
+++ refpolicy-2.20210203/policy/modules/system/udev.te
@@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
dontaudit udev_t self:capability sys_tty_config;
allow udev_t self:capability2 { wake_alarm block_suspend };
+allow udev_t self:lockdown confidentiality;
allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
allow udev_t self:fd use;
allow udev_t self:fifo_file rw_fifo_file_perms;
@@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
+allow udev_t udev_runtime_t:dir watch;
manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
@@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
files_read_usr_files(udev_t)
files_read_etc_runtime_files(udev_t)
files_read_etc_files(udev_t)
+files_read_var_lib_symlinks(udev_t)
files_mmap_read_kernel_modules(udev_t)
files_exec_etc_files(udev_t)
files_getattr_generic_locks(udev_t)
@@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
fs_list_inotifyfs(udev_t)
fs_read_cgroup_files(udev_t)
fs_rw_anon_inodefs_files(udev_t)
+fs_search_tmpfs(udev_t)
fs_search_tracefs(udev_t)
mcs_ptrace_all(udev_t)
@@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
auth_domtrans_pam_console(udev_t)
auth_use_nsswitch(udev_t)
+# for /run/console-setup
+fs_manage_tmpfs_dirs(udev_t)
+fs_manage_tmpfs_files(udev_t)
+
init_read_utmp(udev_t)
init_domtrans_script(udev_t)
# systemd-udevd searches /run/systemd
@@ -260,9 +268,6 @@ ifdef(`init_systemd',`
optional_policy(`
init_dbus_chat(udev_t)
')
-',`
- fs_manage_tmpfs_dirs(udev_t)
- fs_manage_tmpfs_files(udev_t)
')
optional_policy(`
Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210203/policy/modules/system/unconfined.te
@@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
logging_run_auditctl(unconfined_t, unconfined_r)
mount_run_unconfined(unconfined_t, unconfined_r)
+mount_watch_runtime_files_reads(unconfined_t)
seutil_run_setfiles(unconfined_t, unconfined_r)
seutil_run_semanage(unconfined_t, unconfined_r)
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: [PATCH] little misc patches
2021-02-03 4:10 [PATCH] little misc patches Russell Coker
@ 2021-02-03 17:50 ` Dominick Grift
0 siblings, 0 replies; 2+ messages in thread
From: Dominick Grift @ 2021-02-03 17:50 UTC (permalink / raw)
To: Russell Coker; +Cc: selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> More little misc patches.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/admin/acct.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/acct.te
> +++ refpolicy-2.20210203/policy/modules/admin/acct.te
> @@ -57,6 +57,7 @@ init_use_fds(acct_t)
> init_use_script_ptys(acct_t)
> init_exec_script_files(acct_t)
>
> +logging_search_logs(acct_t)
> logging_send_syslog_msg(acct_t)
>
> miscfiles_read_localization(acct_t)
> Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210203/policy/modules/admin/bootloader.te
> @@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t)
> allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio };
> allow bootloader_t self:process { signal_perms execmem };
> allow bootloader_t self:fifo_file rw_fifo_file_perms;
> +allow bootloader_t self:netlink_selinux_socket
> connected_socket_perms;
this can be dontaudited (or even just removed) because the status_page api falls back to this if the
file cannot be mapped, but since you allow the map below this is not
needed and so this should no longer be triggered
>
> allow bootloader_t bootloader_etc_t:file read_file_perms;
> # uncomment the following lines if you use "lilo -p"
> @@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir
> files_root_filetrans(bootloader_t, bootloader_tmp_t, file)
>
> kernel_getattr_core_if(bootloader_t)
> +kernel_read_crypto_sysctls(bootloader_t)
> kernel_read_network_state(bootloader_t)
> kernel_read_system_state(bootloader_t)
> kernel_read_software_raid_state(bootloader_t)
> @@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t
>
> mount_rw_runtime_files(bootloader_t)
>
> +selinux_get_enforce_mode(bootloader_t)
> selinux_getattr_fs(bootloader_t)
> +selinux_search_fs(bootloader_t)
> +selinux_use_status_page(bootloader_t)
> seutil_read_bin_policy(bootloader_t)
> +seutil_read_config(bootloader_t)
> seutil_read_file_contexts(bootloader_t)
> seutil_read_loadpolicy(bootloader_t)
> seutil_dontaudit_search_config(bootloader_t)
> Index: refpolicy-2.20210203/policy/modules/admin/brctl.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te
> +++ refpolicy-2.20210203/policy/modules/admin/brctl.te
> @@ -17,7 +17,7 @@ role brctl_roles types brctl_t;
> # Local policy
> #
>
> -allow brctl_t self:capability net_admin;
> +allow brctl_t self:capability { net_admin sys_module };
use the appropriate interface for loading kernel modules instead
> allow brctl_t self:fifo_file rw_fifo_file_perms;
> allow brctl_t self:unix_stream_socket create_stream_socket_perms;
> allow brctl_t self:unix_dgram_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210203/policy/modules/admin/logrotate.te
> @@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t)
> init_stream_connect(logrotate_t)
> init_manage_all_units(logrotate_t)
>
> +libs_exec_lib_files(logrotate_t)
probably a mislabeled file, better to address the labeling issue
> +
> logging_manage_all_logs(logrotate_t)
> logging_send_syslog_msg(logrotate_t)
> logging_send_audit_msgs(logrotate_t)
> Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc
> +++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc
> @@ -1,3 +1,4 @@
> /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
> +/usr/bin/cdrskin -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
> /usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
> /usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210203/policy/modules/apps/games.te
> @@ -92,7 +92,9 @@ optional_policy(`
> allow games_t self:fifo_file rw_fifo_file_perms;
> allow games_t self:sem create_sem_perms;
> allow games_t self:tcp_socket { accept listen };
> +allow games_t self:process getsched;
>
> +manage_dirs_pattern(games_t, games_data_t, games_data_t)
> manage_files_pattern(games_t, games_data_t, games_data_t)
> manage_lnk_files_pattern(games_t, games_data_t, games_data_t)
>
> @@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t)
>
> manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t)
> manage_files_pattern(games_t, games_tmp_t, games_tmp_t)
> +allow games_t games_tmp_t:file map;
> +
> files_tmp_filetrans(games_t, games_tmp_t, { file dir })
>
> manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t)
> @@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t)
> corenet_sendrecv_generic_client_packets(games_t)
> corenet_tcp_connect_generic_port(games_t)
>
> +corenet_udp_bind_generic_node(games_t)
> +
> dev_read_sound(games_t)
> dev_read_input(games_t)
> dev_read_mouse(games_t)
> @@ -136,13 +142,16 @@ dev_rw_dri(games_t)
> dev_write_sound(games_t)
>
> files_list_var(games_t)
> +files_search_mnt(games_t)
> files_search_var_lib(games_t)
> files_dontaudit_search_var(games_t)
> +files_map_usr_files(games_t)
> files_read_etc_files(games_t)
> files_read_usr_files(games_t)
> files_read_var_files(games_t)
>
> fs_dontaudit_getattr_xattr_fs(games_t)
> +fs_search_nfs(games_t)
>
> init_dontaudit_rw_utmp(games_t)
>
> @@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t)
> userdom_manage_user_tmp_files(games_t)
> userdom_manage_user_tmp_symlinks(games_t)
> userdom_manage_user_tmp_sockets(games_t)
> +userdom_use_user_ptys(games_t)
> userdom_dontaudit_read_user_home_content_files(games_t)
>
> tunable_policy(`allow_execmem',`
> @@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',`
>
> optional_policy(`
> alsa_read_config(games_t)
> + alsa_read_home_files(games_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210203/policy/modules/apps/gpg.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te
> +++ refpolicy-2.20210203/policy/modules/apps/gpg.te
> @@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t)
> miscfiles_read_localization(gpg_t)
>
> userdom_use_user_terminals(gpg_t)
> +userdom_user_home_dir_filetrans_user_home_content(gpg_t, file)
>
> userdom_manage_user_tmp_dirs(gpg_t)
> userdom_manage_user_tmp_files(gpg_t)
> Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc
> +++ refpolicy-2.20210203/policy/modules/kernel/devices.fc
> @@ -137,6 +137,7 @@ ifdef(`distro_suse', `
> /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0)
> +/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0)
> /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0)
> /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0)
> /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0)
> Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210203/policy/modules/roles/sysadm.te
> @@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock
> allow sysadm_t self:capability audit_write;
> allow sysadm_t self:system status;
>
> +kernel_request_load_module(sysadm_t)
> +
> corecmd_exec_shell(sysadm_t)
>
> corenet_ib_access_unlabeled_pkeys(sysadm_t)
> @@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t)
>
> init_exec(sysadm_t)
> init_admin(sysadm_t)
> +init_rw_stream_sockets(sysadm_t)
>
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
> Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te
> +++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te
> @@ -29,6 +29,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ssh_role_template(user, user_r, user_t)
> +')
> +
> +optional_policy(`
> vlock_run(user_t, user_r)
> ')
>
> @@ -162,10 +166,6 @@ ifndef(`distro_redhat',`
> ')
>
> optional_policy(`
> - ssh_role_template(user, user_r, user_t)
> - ')
> -
> - optional_policy(`
> su_role_template(user, user_r, user_t)
> ')
>
> Index: refpolicy-2.20210203/policy/modules/system/authlogin.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te
> +++ refpolicy-2.20210203/policy/modules/system/authlogin.te
> @@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t)
>
> logging_search_logs(utempter_t)
>
> +term_use_ptmx(utempter_t)
> +
> userdom_use_user_terminals(utempter_t)
> # Allow utemper to write to /tmp/.xses-*
> userdom_write_user_tmp_files(utempter_t)
> @@ -406,6 +408,7 @@ optional_policy(`
> optional_policy(`
> xserver_use_xdm_fds(utempter_t)
> xserver_rw_xdm_pipes(utempter_t)
> + xserver_write_inherited_xsession_log(utempter_t)
> ')
>
> #######################################
> Index: refpolicy-2.20210203/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/init.if
> +++ refpolicy-2.20210203/policy/modules/system/init.if
> @@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',`
> allow $1 { init_script_file_type systemdunit }:service reload;
> ')
>
> +#######################################
> +## <summary>
> +## getattr all systemd unit files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_getattr_all_units',`
> + gen_require(`
> + attribute systemdunit;
> + ')
> +
> + allow $1 systemdunit:file getattr;
> +')
> +
> ########################################
> ## <summary>
> ## Manage systemd unit dirs and the files in them
> Index: refpolicy-2.20210203/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/init.te
> +++ refpolicy-2.20210203/policy/modules/system/init.te
> @@ -244,7 +244,6 @@ ifdef(`init_systemd',`
> allow init_t self:udp_socket create_socket_perms;
> allow init_t self:netlink_route_socket create_netlink_socket_perms;
> allow init_t initrc_t:unix_dgram_socket create_socket_perms;
> - allow init_t self:capability2 audit_read;
> allow init_t self:key { search setattr write };
> allow init_t self:bpf { map_create map_read map_write prog_load prog_run };
>
> @@ -262,7 +261,7 @@ ifdef(`init_systemd',`
>
> # setexec and setkeycreate for systemd --user
> allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit };
> - allow init_t self:capability2 { audit_read block_suspend };
> + allow init_t self:capability2 { audit_read block_suspend bpf perfmon };
> allow init_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow init_t self:unix_dgram_socket lock;
>
> @@ -428,6 +427,7 @@ ifdef(`init_systemd',`
> miscfiles_watch_localization(init_t)
>
> mount_watch_runtime_dirs(init_t)
> + mount_watch_runtime_files_reads(init_t)
>
> # systemd_socket_activated policy
> mls_socket_write_all_levels(init_t)
> Index: refpolicy-2.20210203/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20210203/policy/modules/system/logging.te
> @@ -510,6 +510,7 @@ seutil_read_config(syslogd_t)
>
> userdom_dontaudit_use_unpriv_user_fds(syslogd_t)
> userdom_dontaudit_search_user_home_dirs(syslogd_t)
> +userdom_search_user_runtime_root(syslogd_t)
>
> ifdef(`init_systemd',`
> # for systemd-journal
> @@ -549,6 +550,8 @@ ifdef(`init_systemd',`
> systemd_manage_journal_files(syslogd_t)
>
> udev_read_runtime_files(syslogd_t)
> + userdom_list_user_tmp(syslogd_t)
> + userdom_read_user_tmp_symlinks(syslogd_t)
> ')
>
> ifdef(`distro_gentoo',`
> Index: refpolicy-2.20210203/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20210203/policy/modules/system/lvm.te
> @@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t)
> files_list_usr(clvmd_t)
>
> fs_getattr_all_fs(clvmd_t)
> +fs_getattr_pstore_dirs(lvm_t)
> fs_search_auto_mountpoints(clvmd_t)
> +fs_search_cgroup_dirs(lvm_t)
> fs_dontaudit_list_tmpfs(clvmd_t)
> fs_dontaudit_read_removable_files(clvmd_t)
> fs_rw_anon_inodefs_files(clvmd_t)
> +fs_search_bpf(lvm_t)
>
> storage_dontaudit_getattr_removable_dev(clvmd_t)
> storage_manage_fixed_disk(clvmd_t)
> @@ -167,7 +170,6 @@ optional_policy(`
> allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource };
> dontaudit lvm_t self:capability sys_tty_config;
> allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate };
> -# LVM will complain a lot if it cannot set its priority.
> allow lvm_t self:process setsched;
> allow lvm_t self:file rw_file_perms;
> allow lvm_t self:fifo_file manage_fifo_file_perms;
> @@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t)
>
> storage_relabel_fixed_disk(lvm_t)
> storage_dontaudit_read_removable_device(lvm_t)
> +storage_getattr_removable_dev(lvm_t)
> +
> # LVM creates block devices in /dev/mapper or /dev/<vg>
> # depending on its version
> # LVM(2) needs to create directories (/dev/mapper, /dev/<vg>)
> Index: refpolicy-2.20210203/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20210203/policy/modules/system/modutils.te
> @@ -34,6 +34,7 @@ ifdef(`init_systemd',`
> #
>
> allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config };
> +allow kmod_t self:lockdown confidentiality;
> allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal };
> # for the radeon/amdgpu modules
> dontaudit kmod_t self:capability sys_admin;
> Index: refpolicy-2.20210203/policy/modules/system/mount.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.te
> +++ refpolicy-2.20210203/policy/modules/system/mount.te
> @@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t)
> files_dontaudit_write_all_mountpoints(mount_t)
> files_dontaudit_setattr_all_mountpoints(mount_t)
>
> +fs_getattr_binfmt_misc_fs(mount_t)
> fs_getattr_xattr_fs(mount_t)
> fs_getattr_tmpfs(mount_t)
> fs_getattr_rpc_pipefs(mount_t)
> fs_getattr_cifs(mount_t)
> fs_getattr_nfs(mount_t)
> fs_mount_all_fs(mount_t)
> +fs_manage_tmpfs_dirs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> Index: refpolicy-2.20210203/policy/modules/system/raid.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/raid.te
> +++ refpolicy-2.20210203/policy/modules/system/raid.te
> @@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t)
> files_read_etc_files(mdadm_t)
> files_read_etc_runtime_files(mdadm_t)
> files_dontaudit_getattr_all_files(mdadm_t)
> +files_search_tmp(mdadm_t)
>
> fs_getattr_all_fs(mdadm_t)
> fs_list_auto_mountpoints(mdadm_t)
> Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te
> @@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t)
> fs_relabelfrom_noxattr_fs(restorecond_t)
> fs_getattr_pstorefs(restorecond_t)
>
> +logging_watch_generic_logs_dir(restorecond_t)
> +
> selinux_validate_context(restorecond_t)
> selinux_compute_access_vector(restorecond_t)
> selinux_compute_create_context(restorecond_t)
> selinux_compute_relabel_context(restorecond_t)
> selinux_compute_user_contexts(restorecond_t)
> +seutil_read_file_contexts(restorecond_t)
>
> files_relabel_non_auth_files(restorecond_t )
> files_dontaudit_read_all_symlinks(restorecond_t)
> +files_watch_etc_dirs(restorecond_t)
> +files_watch_runtime_dirs(restorecond_t)
> auth_use_nsswitch(restorecond_t)
>
> logging_send_syslog_msg(restorecond_t)
> @@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock
> # the failed access to the current directory
> dontaudit run_init_t self:capability { dac_override dac_read_search };
>
> +kernel_getattr_proc(run_init_t)
> +
> corecmd_exec_bin(run_init_t)
> corecmd_exec_shell(run_init_t)
>
> @@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c
> allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock };
> allow setfiles_t file_context_t:file map;
>
> +kernel_read_kernel_sysctls(setfiles_t)
> kernel_read_system_state(setfiles_t)
> kernel_relabelfrom_unlabeled_dirs(setfiles_t)
> kernel_relabelfrom_unlabeled_files(setfiles_t)
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te
> @@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over
> dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config };
> # for access("/etc/bashrc", X_OK) on Red Hat
> dontaudit dhcpc_t self:capability { dac_read_search sys_module };
> -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms };
> +allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms };
>
> allow dhcpc_t self:fifo_file rw_fifo_file_perms;
> allow dhcpc_t self:tcp_socket create_stream_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20210203/policy/modules/system/udev.te
> @@ -43,6 +43,7 @@ ifdef(`enable_mcs',`
> allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource };
> dontaudit udev_t self:capability sys_tty_config;
> allow udev_t self:capability2 { wake_alarm block_suspend };
> +allow udev_t self:lockdown confidentiality;
> allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit };
> allow udev_t self:fd use;
> allow udev_t self:fifo_file rw_fifo_file_perms;
> @@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_
> manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t)
>
> manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> +allow udev_t udev_runtime_t:dir watch;
> manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t)
> @@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev
> files_read_usr_files(udev_t)
> files_read_etc_runtime_files(udev_t)
> files_read_etc_files(udev_t)
> +files_read_var_lib_symlinks(udev_t)
> files_mmap_read_kernel_modules(udev_t)
> files_exec_etc_files(udev_t)
> files_getattr_generic_locks(udev_t)
> @@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t)
> fs_list_inotifyfs(udev_t)
> fs_read_cgroup_files(udev_t)
> fs_rw_anon_inodefs_files(udev_t)
> +fs_search_tmpfs(udev_t)
> fs_search_tracefs(udev_t)
>
> mcs_ptrace_all(udev_t)
> @@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t)
> auth_domtrans_pam_console(udev_t)
> auth_use_nsswitch(udev_t)
>
> +# for /run/console-setup
then that shouldnt be labeled tmpfs_t?
> +fs_manage_tmpfs_dirs(udev_t)
> +fs_manage_tmpfs_files(udev_t)
> +
> init_read_utmp(udev_t)
> init_domtrans_script(udev_t)
> # systemd-udevd searches /run/systemd
> @@ -260,9 +268,6 @@ ifdef(`init_systemd',`
> optional_policy(`
> init_dbus_chat(udev_t)
> ')
> -',`
> - fs_manage_tmpfs_dirs(udev_t)
> - fs_manage_tmpfs_files(udev_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20210203/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20210203/policy/modules/system/unconfined.te
> @@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t)
> logging_run_auditctl(unconfined_t, unconfined_r)
>
> mount_run_unconfined(unconfined_t, unconfined_r)
> +mount_watch_runtime_files_reads(unconfined_t)
>
> seutil_run_setfiles(unconfined_t, unconfined_r)
> seutil_run_semanage(unconfined_t, unconfined_r)
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2021-02-03 17:51 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-02-03 4:10 [PATCH] little misc patches Russell Coker
2021-02-03 17:50 ` Dominick Grift
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.