[refpolicy] boinc patch for inclusion

[refpolicy] boinc patch for inclusion

[Russell Coker]

Below is my final boinc patch.  It runs well on several systems.

diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
--- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te	2016-11-02 14:53:37.763215655 +1100
+++ ./policy/modules/contrib/boinc.te	2016-12-31 21:14:18.482560122 +1100
@@ -85,6 +85,7 @@
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
+kernel_read_crypto_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -143,6 +144,10 @@
 miscfiles_read_fonts(boinc_t)
 miscfiles_read_localization(boinc_t)
 
+xserver_list_xdm_tmp(boinc_t)
+corenet_tcp_connect_xserver_port(boinc_t)
+xserver_non_drawing_client(boinc_t)
+
 tunable_policy(`boinc_execmem',`
 	allow boinc_t self:process { execstack execmem };
 ')
diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
--- /home/rjc/src/pol-git/policy/modules/services/xserver.if	2016-12-31 21:09:24.677504879 +1100
+++ ./policy/modules/services/xserver.if	2016-12-31 21:14:18.486560245 +1100
@@ -1236,6 +1236,24 @@
 
 ########################################
 ## <summary>
+##	list xdm_tmp_t directories
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to allow
+##	</summary>
+## </param>
+#
+interface(`xserver_list_xdm_tmp',`
+	gen_require(`
+		type xdm_tmp_t;
+	')
+
+	allow $1 xdm_tmp_t:dir list_dir_perms;
+')
+
+########################################
+## <summary>
 ##	Execute the X server in the X server domain.
 ## </summary>
 ## <param name="domain">

[refpolicy] boinc patch for inclusion

[Chris PeBenito]

On 12/31/16 05:16, Russell Coker via refpolicy wrote:
> Below is my final boinc patch.  It runs well on several systems.
>
> diff -ru /home/rjc/src/pol-git/policy/modules/contrib/boinc.te ./policy/modules/contrib/boinc.te
> --- /home/rjc/src/pol-git/policy/modules/contrib/boinc.te	2016-11-02 14:53:37.763215655 +1100
> +++ ./policy/modules/contrib/boinc.te	2016-12-31 21:14:18.482560122 +1100
> @@ -85,6 +85,7 @@
>
>  kernel_read_system_state(boinc_t)
>  kernel_search_vm_sysctl(boinc_t)
> +kernel_read_crypto_sysctls(boinc_t)
>
>  corenet_all_recvfrom_unlabeled(boinc_t)
>  corenet_all_recvfrom_netlabel(boinc_t)
> @@ -143,6 +144,10 @@
>  miscfiles_read_fonts(boinc_t)
>  miscfiles_read_localization(boinc_t)
>
> +xserver_list_xdm_tmp(boinc_t)
> +corenet_tcp_connect_xserver_port(boinc_t)
> +xserver_non_drawing_client(boinc_t)

It's been a long time since I used boinc.  IIRC it can be headless?  If 
so then these should be optional.


>  tunable_policy(`boinc_execmem',`
>  	allow boinc_t self:process { execstack execmem };
>  ')
> diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.if ./policy/modules/services/xserver.if
> --- /home/rjc/src/pol-git/policy/modules/services/xserver.if	2016-12-31 21:09:24.677504879 +1100
> +++ ./policy/modules/services/xserver.if	2016-12-31 21:14:18.486560245 +1100
> @@ -1236,6 +1236,24 @@
>
>  ########################################
>  ## <summary>
> +##	list xdm_tmp_t directories
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to allow
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_list_xdm_tmp',`
> +	gen_require(`
> +		type xdm_tmp_t;
> +	')
> +
> +	allow $1 xdm_tmp_t:dir list_dir_perms;
> +')
> +
> +########################################
> +## <summary>
>  ##	Execute the X server in the X server domain.
>  ## </summary>
>  ## <param name="domain">



-- 
Chris PeBenito

[refpolicy] boinc patch for inclusion

[Russell Coker]

On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
> > miscfiles_read_localization(boinc_t)
> > 
> > +xserver_list_xdm_tmp(boinc_t)
> > +corenet_tcp_connect_xserver_port(boinc_t)
> > +xserver_non_drawing_client(boinc_t)
> 
> It's been a long time since I used boinc.  IIRC it can be headless?  If 
> so then these should be optional.

Correct.  Shall I submit a new patch or do you just want to change it while 
applying?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

[refpolicy] boinc patch for inclusion

[Chris PeBenito]

On 12/31/16 11:48, Russell Coker wrote:
> On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
>>> miscfiles_read_localization(boinc_t)
>>>
>>> +xserver_list_xdm_tmp(boinc_t)
>>> +corenet_tcp_connect_xserver_port(boinc_t)
>>> +xserver_non_drawing_client(boinc_t)
>>
>> It's been a long time since I used boinc.  IIRC it can be headless?  If
>> so then these should be optional.
>
> Correct.  Shall I submit a new patch or do you just want to change it while
> applying?

I've merged it and made the change.

-- 
Chris PeBenito

[refpolicy] boinc patch for inclusion

[Russell Coker]

On Monday, 2 January 2017 1:08:36 PM AEDT Chris PeBenito wrote:
> On 12/31/16 11:48, Russell Coker wrote:
> > On Saturday, 31 December 2016 11:09:41 AM AEDT Chris PeBenito wrote:
> >>> miscfiles_read_localization(boinc_t)
> >>> 
> >>> +xserver_list_xdm_tmp(boinc_t)
> >>> +corenet_tcp_connect_xserver_port(boinc_t)
> >>> +xserver_non_drawing_client(boinc_t)
> >> 
> >> It's been a long time since I used boinc.  IIRC it can be headless?  If
> >> so then these should be optional.
> > 
> > Correct.  Shall I submit a new patch or do you just want to change it
> > while
> > applying?
> 
> I've merged it and made the change.

Great thanks!

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/