[PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[Russell Coker]

Trivial stuff.


Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
 /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-ifndef(`distro_redhat',`
+/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
 fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
 
 	# for apt-cache
 	apt_read_db(bootloader_t)
-	apt_read_cache(bootloader_t)
+	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
 	hal_write_log(bootloader_t)
 ')
@@ -230,5 +237,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
 
 	allow $1 dpkg_script_tmp_t:file map;
 ')
+
+########################################
+## <summary>
+##	read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
 
 ########################################
 ## <summary>
+##	read mdadm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir list_dir_perms;
+	allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mdadm pid files.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
 	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
+	dpkg_read_script_tmp_links(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy

Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[Chris PeBenito]

On 1/2/19 4:20 AM, Russell Coker wrote:
> Trivial stuff.
> 
> 
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
>   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
>   allow NetworkManager_t self:packet_socket create_socket_perms;
>   allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };

This seems odd.  Can you provide any more details on this?

-- 
Chris PeBenito

Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[Russell Coker]

On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> On 1/2/19 4:20 AM, Russell Coker wrote:
> > Trivial stuff.
> > 
> > 
> > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > 
> >   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> >   relabelto }; allow NetworkManager_t self:packet_socket
> >   create_socket_perms;
> >   allow NetworkManager_t self:socket create_socket_perms;
> > 
> > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > read };
> This seems odd.  Can you provide any more details on this?

From memory it appeared to be some sort of ping functionality built in.  Feel 
free to drop that section and apply the rest, I can do more testing on it if 
you like.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix

[Nicolas Iooss]

On Thu, Jan 3, 2019 at 2:19 AM Russell Coker <russell@coker.com.au> wrote:
>
> On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 4:20 AM, Russell Coker wrote:
> > > Trivial stuff.
> > >
> > >
> > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > >
> > >   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > >   relabelto }; allow NetworkManager_t self:packet_socket
> > >   create_socket_perms;
> > >   allow NetworkManager_t self:socket create_socket_perms;
> > >
> > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > > read };
> > This seems odd.  Can you provide any more details on this?
>
> From memory it appeared to be some sort of ping functionality built in.  Feel
> free to drop that section and apply the rest, I can do more testing on it if
> you like.

For information, I have a patch in my policy (that I never found the
time to send) which adds "allow NetworkManager_t self:rawip_socket
create_socket_perms;" with the following description:

    Allow NetworkManager to use raw IP sockets

    NetworkManager uses raw sockets to send and receive ICMPv6 paquets.

    "ss --raw -lpn" shows:

        State   Recv-Q  Send-Q  Local Address:Port  Peer Address:Port
        UNCONN  0       0       :::ipv6-icmp        :::*
        users:(("NetworkManager",pid=31474,fd=22))

    and audit.log reports AVC denials from NetworkManager for create,
    setopt, getattr and write in rawip_socket class.  Here is an excerpt for
    a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols):

      type=AVC msg=audit(1414245913.538:386): avc:  denied  { write } for
      pid=31474 comm="NetworkManager" lport=58
      scontext=system_u:system_r:NetworkManager_t
      tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket

I agree with adding the required permissions to NetworkManager (ICMPv6
is used for Router Solicitation/Router Advertisement packets).

Nicolas