From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login
Date: Wed, 2 Jan 2019 18:52:55 -0500 [thread overview]
Message-ID: <b1a8f09d-fb0b-b9e4-1229-6de5cfb1a5fc@ieee.org> (raw)
In-Reply-To: <20190102084045.GA31076@aaa.coker.com.au>
On 1/2/19 3:40 AM, Russell Coker wrote:
> Lots of little things that are self-explanatory.
>
> Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.
>
> Remove obsolete policy from syncthing as we have it in
> sysnet_dns_name_resolve().
>
[...]
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
[...]
> @@ -169,7 +173,7 @@ optional_policy(`
> #
>
> allow boinc_project_t self:capability { setgid setuid };
> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
> +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
This change shouldn't be necessary since signal is already in signal_perms.
[...]
> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> ')
>
> ########################################
> +## <summary>
> +## Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
The relabel perms shouldn't be in here. I'd say split it into a new
interface, but you're adding the other interface earlier in the patch.
--
Chris PeBenito
next prev parent reply other threads:[~2019-01-03 0:27 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-02 8:40 [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login Russell Coker
2019-01-02 23:52 ` Chris PeBenito [this message]
2019-01-03 1:27 ` Russell Coker
2019-01-03 22:34 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1a8f09d-fb0b-b9e4-1229-6de5cfb1a5fc@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.