SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] misc interfaces
@ 2019-01-04  7:33 Russell Coker
  2019-01-05 18:39 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-01-04  7:33 UTC (permalink / raw)
  To: selinux-refpolicy

This patch has some small interface changes as well as the policy patches to
use the new interfaces.

Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	allow $1 apt_var_cache_t:file read_file_perms;
+	allow $1 apt_var_cache_t:file mmap_read_file_perms;
 ')
 
 ########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir manage_dir_perms;
-	allow $1 apt_var_cache_t:file manage_file_perms;
+	allow $1 apt_var_cache_t:file { manage_file_perms map };
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
 
 	allow $1 dpkg_script_tmp_t:file map;
 ')
+
+########################################
+## <summary>
+##	read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+	gen_require(`
+		type dpkg_script_tmp_t;
+	')
+
+	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/gpm.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
+++ refpolicy-2.20180701/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
 	')
 
 	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+	dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
 
 #######################################
 ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
 ')
 
 ########################################
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file manage_file_perms;
+	logging_rw_generic_log_dirs($1)
+')
+
+########################################
 ## <summary>
 ##	Execute pam programs in the pam domain.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
 
 ########################################
 ## <summary>
+##	read mdadm pid files.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+	gen_require(`
+		type mdadm_var_run_t;
+	')
+
+	files_search_pids($1)
+	allow $1 mdadm_var_run_t:dir list_dir_perms;
+	allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mdadm pid files.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+	optional_policy(`
+	# for /etc/resolv.conf symlink
+		networkmanager_read_pid_files($1)
+	')
 
 	ifdef(`init_systemd',`
 		optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
 	# for postinst of a new kernel package
 	dpkg_manage_script_tmp_files(kmod_t)
 	dpkg_map_script_tmp_files(kmod_t)
+	dpkg_read_script_tmp_links(kmod_t)
 ')
 
 optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
 # for /etc/mtab
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
+fs_getattr_tmpfs(systemd_tmpfiles_t)
+fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)
 
+auth_append_lastlog(systemd_tmpfiles_t)
 auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_lastlog(systemd_tmpfiles_t)
 auth_manage_login_records(systemd_tmpfiles_t)
 auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
 auth_relabel_login_records(systemd_tmpfiles_t)
 auth_setattr_login_records(systemd_tmpfiles_t)
 
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
 mls_file_write_all_levels(bootloader_t)
 
 term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
 term_dontaudit_manage_pty_dirs(bootloader_t)
 
 corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
 domain_use_interactive_fds(bootloader_t)
 
 files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
 files_manage_boot_files(bootloader_t)
 files_manage_boot_symlinks(bootloader_t)
 files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
 files_etc_filetrans_etc_runtime(bootloader_t, file)
 files_dontaudit_search_home(bootloader_t)
 
+fs_list_hugetlbfs(bootloader_t)
 fs_mount_fusefs(bootloader_t)
 fs_mount_xattr_fs(bootloader_t)
 fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
 
 	# for apt-cache
 	apt_read_db(bootloader_t)
-	apt_read_cache(bootloader_t)
+	apt_manage_cache(bootloader_t)
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
 	hal_dontaudit_append_lib_files(bootloader_t)
 	hal_write_log(bootloader_t)
 ')
@@ -230,5 +237,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
 	rpm_rw_pipes(bootloader_t)
 ')

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] misc interfaces
  2019-01-04  7:33 [PATCH] misc interfaces Russell Coker
@ 2019-01-05 18:39 ` Chris PeBenito
  2019-01-06  1:45   ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2019-01-05 18:39 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/4/19 2:33 AM, Russell Coker wrote:
> This patch has some small interface changes as well as the policy patches to
> use the new interfaces.
> 
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>   
>   	files_search_var($1)
>   	allow $1 apt_var_cache_t:dir list_dir_perms;
> -	allow $1 apt_var_cache_t:file read_file_perms;
> +	allow $1 apt_var_cache_t:file mmap_read_file_perms;
>   ')
>   
>   ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>   
>   	files_search_var($1)
>   	allow $1 apt_var_cache_t:dir manage_dir_perms;
> -	allow $1 apt_var_cache_t:file manage_file_perms;
> +	allow $1 apt_var_cache_t:file { manage_file_perms map };
>   ')

I dropped these hunks.  In general the map should be a separate 
interface, unless you're arguing that in all cases there should be mmaping.

Otherwise the remainder is merged.


>   ########################################
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
>   
>   	allow $1 dpkg_script_tmp_t:file map;
>   ')
> +
> +########################################
> +## <summary>
> +##	read dpkg_script_tmp_t links
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_read_script_tmp_links',`
> +	gen_require(`
> +		type dpkg_script_tmp_t;
> +	')
> +
> +	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/gpm.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
> +++ refpolicy-2.20180701/policy/modules/services/gpm.if
> @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
>   	')
>   
>   	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
> +	dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
>   ')
>   
>   ########################################
> Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>   
>   #######################################
>   ## <summary>
> +##	relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> +	gen_require(`
> +		type lastlog_t;
> +	')
> +
> +	logging_search_logs($1)
> +	allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
>   ##	Read and write to the last logins log.
>   ## </summary>
>   ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>   ')
>   
>   ########################################
> +## <summary>
> +##     Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> +	gen_require(`
> +		type lastlog_t;
> +	')
> +
> +	allow $1 lastlog_t:file manage_file_perms;
> +	logging_rw_generic_log_dirs($1)
> +')
> +
> +########################################
>   ## <summary>
>   ##	Execute pam programs in the pam domain.
>   ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/raid.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/raid.if
> +++ refpolicy-2.20180701/policy/modules/system/raid.if
> @@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
>   
>   ########################################
>   ## <summary>
> +##	read mdadm pid files.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`raid_read_mdadm_pid',`
> +	gen_require(`
> +		type mdadm_var_run_t;
> +	')
> +
> +	files_search_pids($1)
> +	allow $1 mdadm_var_run_t:dir list_dir_perms;
> +	allow $1 mdadm_var_run_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
>   ##	Create, read, write, and delete
>   ##	mdadm pid files.
>   ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
>   	optional_policy(`
>   		nscd_use($1)
>   	')
> +	optional_policy(`
> +	# for /etc/resolv.conf symlink
> +		networkmanager_read_pid_files($1)
> +	')
>   
>   	ifdef(`init_systemd',`
>   		optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -136,6 +136,7 @@ optional_policy(`
>   	# for postinst of a new kernel package
>   	dpkg_manage_script_tmp_files(kmod_t)
>   	dpkg_map_script_tmp_files(kmod_t)
> +	dpkg_read_script_tmp_links(kmod_t)
>   ')
>   
>   optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
>   # for /etc/mtab
>   files_manage_etc_symlinks(systemd_tmpfiles_t)
>   
> +fs_getattr_tmpfs(systemd_tmpfiles_t)
> +fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
>   fs_getattr_xattr_fs(systemd_tmpfiles_t)
>   
>   selinux_get_fs_mount(systemd_tmpfiles_t)
>   selinux_search_fs(systemd_tmpfiles_t)
>   
> +auth_append_lastlog(systemd_tmpfiles_t)
>   auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_lastlog(systemd_tmpfiles_t)
>   auth_manage_login_records(systemd_tmpfiles_t)
>   auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_lastlog(systemd_tmpfiles_t)
>   auth_relabel_login_records(systemd_tmpfiles_t)
>   auth_setattr_login_records(systemd_tmpfiles_t)
>   
> Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
> @@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
>   mls_file_write_all_levels(bootloader_t)
>   
>   term_getattr_all_ttys(bootloader_t)
> +term_getattr_generic_ptys(bootloader_t)
>   term_dontaudit_manage_pty_dirs(bootloader_t)
>   
>   corecmd_exec_all_executables(bootloader_t)
> @@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
>   domain_use_interactive_fds(bootloader_t)
>   
>   files_create_boot_dirs(bootloader_t)
> +files_getattr_default_dirs(bootloader_t)
>   files_manage_boot_files(bootloader_t)
>   files_manage_boot_symlinks(bootloader_t)
>   files_read_etc_files(bootloader_t)
> @@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
>   files_etc_filetrans_etc_runtime(bootloader_t, file)
>   files_dontaudit_search_home(bootloader_t)
>   
> +fs_list_hugetlbfs(bootloader_t)
>   fs_mount_fusefs(bootloader_t)
>   fs_mount_xattr_fs(bootloader_t)
>   fs_mounton_fusefs(bootloader_t)
> @@ -172,7 +175,7 @@ ifdef(`distro_debian',`
>   
>   	# for apt-cache
>   	apt_read_db(bootloader_t)
> -	apt_read_cache(bootloader_t)
> +	apt_manage_cache(bootloader_t)
>   
>   	dpkg_read_db(bootloader_t)
>   	dpkg_rw_pipes(bootloader_t)
> @@ -204,6 +207,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	gpm_getattr_gpmctl(bootloader_t)
> +')
> +
> +optional_policy(`
>   	hal_dontaudit_append_lib_files(bootloader_t)
>   	hal_write_log(bootloader_t)
>   ')
> @@ -230,5 +237,9 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	raid_read_mdadm_pid(bootloader_t)
> +')
> +
> +optional_policy(`
>   	rpm_rw_pipes(bootloader_t)
>   ')
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: [PATCH] misc interfaces
  2019-01-05 18:39 ` Chris PeBenito
@ 2019-01-06  1:45   ` Russell Coker
  0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2019-01-06  1:45 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

On Sunday, 6 January 2019 5:39:37 AM AEDT Chris PeBenito wrote:
> On 1/4/19 2:33 AM, Russell Coker wrote:
> > This patch has some small interface changes as well as the policy patches
> > to use the new interfaces.
> > 
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> > @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
> > 
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir list_dir_perms;
> > -       allow $1 apt_var_cache_t:file read_file_perms;
> > +       allow $1 apt_var_cache_t:file mmap_read_file_perms;
> > ')
> > 
> > ########################################
> > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
> > 
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir manage_dir_perms;
> > -       allow $1 apt_var_cache_t:file manage_file_perms;
> > +       allow $1 apt_var_cache_t:file { manage_file_perms map };
> > ')
> 
> I dropped these hunks.  In general the map should be a separate
> interface, unless you're arguing that in all cases there should be mmaping.
> 
> Otherwise the remainder is merged.

While it is possible for anyone to write code that manages the apt cache, in 
general anything that touches it will do so via apt utilities or shared 
objects (usually by executing /usr/bin/apt-cache which has bin_t).

Yes I think that in all cases there should be a mapping because in all likely 
cases that will exist (all cases that are known to exist) the same code is 
used for accessing those files.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/


^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, back to index

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04  7:33 [PATCH] misc interfaces Russell Coker
2019-01-05 18:39 ` Chris PeBenito
2019-01-06  1:45   ` Russell Coker

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable: git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox