From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: another memlockd patch
Date: Fri, 10 Apr 2020 16:03:17 +1000 [thread overview]
Message-ID: <20200410060317.GB35896@xev> (raw)
Signed-off-by: Russell Coker <russell@coker.com.au>
I think this resolves all issues Chris raised.
Index: refpolicy-2.20200410/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20200410/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20200410/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200410/policy/modules/services/memlockd.te
@@ -0,0 +1,37 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+allow memlockd_t self:fifo_file rw_file_perms;
+allow memlockd_t self:unix_dgram_socket { create connect };
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+corecmd_exec_all_executables(memlockd_t)
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+corecmd_search_bin(memlockd_t)
+files_read_etc_files(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+files_map_etc_files(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+miscfiles_read_localization(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
Index: refpolicy-2.20200410/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20200410/policy/modules/system/sysnetwork.if
@@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
#######################################
## <summary>
+## map network config files.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to mmap the
+## general network configuration files.
+## </p>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+ gen_require(`
+ type net_conf_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 net_conf_t:file mmap_read_file_perms;
+')
+
+#######################################
+## <summary>
## Do not audit attempts to read network config files.
## </summary>
## <param name="domain">
Index: refpolicy-2.20200410/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20200410/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
########################################
## <summary>
+## Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+ gen_require(`
+ type shadow_t;
+ ')
+ allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
## Pass shadow assertion for reading.
## </summary>
## <desc>
next reply other threads:[~2020-04-10 6:03 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-04-10 6:03 Russell Coker [this message]
2020-04-10 8:10 ` another memlockd patch Dominick Grift
2020-04-10 9:40 ` Russell Coker
2020-04-14 15:04 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200410060317.GB35896@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).