SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] yet another little patch
@ 2019-01-28  8:48 Russell Coker
  2019-01-29 23:47 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-01-28  8:48 UTC (permalink / raw)
  To: selinux-refpolicy

This should all be obvious.

Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
 corenet_udp_sendrecv_generic_node(system_cronjob_t)
 corenet_tcp_sendrecv_all_ports(system_cronjob_t)
 corenet_udp_sendrecv_all_ports(system_cronjob_t)
+corenet_tcp_connect_tor_port(system_cronjob_t)
 
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
 kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+kernel_read_crypto_sysctls(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
@@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
 dev_getattr_mtrr_dev(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
+dev_read_rand(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
 dev_rw_sysfs(devicekit_disk_t)
 
Index: refpolicy-2.20180701/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20180701/policy/modules/system/lvm.te
@@ -308,6 +308,7 @@ init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
+init_read_script_tmp_files(lvm_t)
 # for systemd-cryptsetup to talk to /run/systemd/journal/socket
 init_stream_connect(lvm_t)
 
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
 
 optional_policy(`
 	devicekit_read_pid_files(ifconfig_t)
+	devicekit_append_inherited_log_files(ifconfig_t)
 ')
 
 optional_policy(`

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] yet another little patch
  2019-01-28  8:48 [PATCH] yet another little patch Russell Coker
@ 2019-01-29 23:47 ` Chris PeBenito
  2019-01-30 12:54   ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2019-01-29 23:47 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/28/19 3:48 AM, Russell Coker wrote:
> This should all be obvious.
> 
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
>   corenet_udp_sendrecv_generic_node(system_cronjob_t)
>   corenet_tcp_sendrecv_all_ports(system_cronjob_t)
>   corenet_udp_sendrecv_all_ports(system_cronjob_t)
> +corenet_tcp_connect_tor_port(system_cronjob_t)

Everything but this hunk is merged, as it is not obvious to me.  Given 
the other networking rules, I would have guessed something like 
tcp_connect to all ports.  I can't infer the relevance of tor by itself.


>   dev_getattr_all_blk_files(system_cronjob_t)
>   dev_getattr_all_chr_files(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
>   kernel_getattr_message_if(devicekit_disk_t)
>   kernel_list_unlabeled(devicekit_disk_t)
>   kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
> +kernel_read_crypto_sysctls(devicekit_disk_t)
>   kernel_read_fs_sysctls(devicekit_disk_t)
>   kernel_read_network_state(devicekit_disk_t)
>   kernel_read_software_raid_state(devicekit_disk_t)
> @@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
>   dev_getattr_mtrr_dev(devicekit_disk_t)
>   dev_getattr_usbfs_dirs(devicekit_disk_t)
>   dev_manage_generic_files(devicekit_disk_t)
> +dev_read_rand(devicekit_disk_t)
>   dev_read_urand(devicekit_disk_t)
>   dev_rw_sysfs(devicekit_disk_t)
>   
> Index: refpolicy-2.20180701/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20180701/policy/modules/system/lvm.te
> @@ -308,6 +308,7 @@ init_use_fds(lvm_t)
>   init_dontaudit_getattr_initctl(lvm_t)
>   init_use_script_ptys(lvm_t)
>   init_read_script_state(lvm_t)
> +init_read_script_tmp_files(lvm_t)
>   # for systemd-cryptsetup to talk to /run/systemd/journal/socket
>   init_stream_connect(lvm_t)
>   
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
>   
>   optional_policy(`
>   	devicekit_read_pid_files(ifconfig_t)
> +	devicekit_append_inherited_log_files(ifconfig_t)
>   ')
>   
>   optional_policy(`
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] yet another little patch
  2019-01-29 23:47 ` Chris PeBenito
@ 2019-01-30 12:54   ` Russell Coker
  0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2019-01-30 12:54 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

On Wednesday, 30 January 2019 10:47:06 AM AEDT Chris PeBenito wrote:
> > +corenet_tcp_connect_tor_port(system_cronjob_t)
> 
> Everything but this hunk is merged, as it is not obvious to me.  Given
> the other networking rules, I would have guessed something like
> tcp_connect to all ports.  I can't infer the relevance of tor by itself.

It allows cron jobs to talk to tor.

One example is the Debian package "popcon" which tracks the popularity of 
Debian packages.  That will upload it's data via tor by default if possible.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-28  8:48 [PATCH] yet another little patch Russell Coker
2019-01-29 23:47 ` Chris PeBenito
2019-01-30 12:54   ` Russell Coker

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox