* [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix
@ 2019-01-02 9:20 Russell Coker
2019-01-03 0:14 ` Chris PeBenito
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2019-01-02 9:20 UTC (permalink / raw)
To: selinux-refpolicy
Trivial stuff.
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
allow NetworkManager_t self:packet_socket create_socket_perms;
allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
-ifndef(`distro_redhat',`
+/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
fs_mount_fusefs(bootloader_t)
fs_mount_xattr_fs(bootloader_t)
fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
# for apt-cache
apt_read_db(bootloader_t)
- apt_read_cache(bootloader_t)
+ apt_manage_cache(bootloader_t)
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
')
optional_policy(`
+ gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
')
@@ -230,5 +237,9 @@ optional_policy(`
')
optional_policy(`
+ raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
allow $1 dpkg_script_tmp_t:file map;
')
+
+########################################
+## <summary>
+## read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
########################################
## <summary>
+## read mdadm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir list_dir_perms;
+ allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mdadm pid files.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
+ dpkg_read_script_tmp_links(kmod_t)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
corenet_tcp_sendrecv_all_reserved_ports(tor_t)
dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
dev_read_urand(tor_t)
domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
logging_send_syslog_msg(tor_t)
+miscfiles_read_generic_certs(tor_t)
miscfiles_read_localization(tor_t)
tunable_policy(`tor_bind_all_unreserved_ports',`
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
kernel_read_system_state(devicekit_t)
dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
dev_read_urand(devicekit_t)
files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
userdom_dontaudit_use_unpriv_user_fds(dictd_t)
optional_policy(`
+ dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
seutil_sigchld_newrole(dictd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
fs_getattr_all_fs(irqbalance_t)
fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
domain_use_interactive_fds(irqbalance_t)
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
optional_policy(`
dbus_system_domain(policykit_t, policykit_exec_t)
+ init_dbus_chat(policykit_t)
userdom_dbus_send_all_users(policykit_t)
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
+optional_policy(`
+ init_dbus_chat(postfix_bounce_t)
+')
+
########################################
#
# Cleanup local policy
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix
2019-01-02 9:20 [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix Russell Coker
@ 2019-01-03 0:14 ` Chris PeBenito
2019-01-03 1:19 ` Russell Coker
0 siblings, 1 reply; 4+ messages in thread
From: Chris PeBenito @ 2019-01-03 0:14 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 1/2/19 4:20 AM, Russell Coker wrote:
> Trivial stuff.
>
>
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> allow NetworkManager_t self:packet_socket create_socket_perms;
> allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
This seems odd. Can you provide any more details on this?
--
Chris PeBenito
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix
2019-01-03 0:14 ` Chris PeBenito
@ 2019-01-03 1:19 ` Russell Coker
2019-01-05 15:18 ` Nicolas Iooss
0 siblings, 1 reply; 4+ messages in thread
From: Russell Coker @ 2019-01-03 1:19 UTC (permalink / raw)
To: Chris PeBenito; +Cc: selinux-refpolicy
On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> On 1/2/19 4:20 AM, Russell Coker wrote:
> > Trivial stuff.
> >
> >
> > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> >
> > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > relabelto }; allow NetworkManager_t self:packet_socket
> > create_socket_perms;
> > allow NetworkManager_t self:socket create_socket_perms;
> >
> > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > read };
> This seems odd. Can you provide any more details on this?
From memory it appeared to be some sort of ping functionality built in. Feel
free to drop that section and apply the rest, I can do more testing on it if
you like.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 4+ messages in thread* Re: [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix
2019-01-03 1:19 ` Russell Coker
@ 2019-01-05 15:18 ` Nicolas Iooss
0 siblings, 0 replies; 4+ messages in thread
From: Nicolas Iooss @ 2019-01-05 15:18 UTC (permalink / raw)
To: Russell Coker; +Cc: Chris PeBenito, selinux-refpolicy
On Thu, Jan 3, 2019 at 2:19 AM Russell Coker <russell@coker.com.au> wrote:
>
> On Thursday, 3 January 2019 11:14:06 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 4:20 AM, Russell Coker wrote:
> > > Trivial stuff.
> > >
> > >
> > > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > > @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> > >
> > > allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom
> > > relabelto }; allow NetworkManager_t self:packet_socket
> > > create_socket_perms;
> > > allow NetworkManager_t self:socket create_socket_perms;
> > >
> > > +allow NetworkManager_t self:rawip_socket { create setopt getattr write
> > > read };
> > This seems odd. Can you provide any more details on this?
>
> From memory it appeared to be some sort of ping functionality built in. Feel
> free to drop that section and apply the rest, I can do more testing on it if
> you like.
For information, I have a patch in my policy (that I never found the
time to send) which adds "allow NetworkManager_t self:rawip_socket
create_socket_perms;" with the following description:
Allow NetworkManager to use raw IP sockets
NetworkManager uses raw sockets to send and receive ICMPv6 paquets.
"ss --raw -lpn" shows:
State Recv-Q Send-Q Local Address:Port Peer Address:Port
UNCONN 0 0 :::ipv6-icmp :::*
users:(("NetworkManager",pid=31474,fd=22))
and audit.log reports AVC denials from NetworkManager for create,
setopt, getattr and write in rawip_socket class. Here is an excerpt for
a denied write ("lport=58" means "ipv6-icmp", cf. /etc/protocols):
type=AVC msg=audit(1414245913.538:386): avc: denied { write } for
pid=31474 comm="NetworkManager" lport=58
scontext=system_u:system_r:NetworkManager_t
tcontext=system_u:system_r:NetworkManager_t tclass=rawip_socket
I agree with adding the required permissions to NetworkManager (ICMPv6
is used for Router Solicitation/Router Advertisement packets).
Nicolas
^ permalink raw reply [flat|nested] 4+ messages in thread
end of thread, other threads:[~2019-01-05 15:18 UTC | newest]
Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-02 9:20 [PATCH misc 3/3] networkmanager apt bootloader dpkg raid modutils tor devicekit dicts irqbalance policykit and postfix Russell Coker
2019-01-03 0:14 ` Chris PeBenito
2019-01-03 1:19 ` Russell Coker
2019-01-05 15:18 ` Nicolas Iooss
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).