* [PATCH] misc interfaces
@ 2019-01-04 7:33 Russell Coker
2019-01-05 18:39 ` Chris PeBenito
0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-01-04 7:33 UTC (permalink / raw)
To: selinux-refpolicy
This patch has some small interface changes as well as the policy patches to
use the new interfaces.
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir list_dir_perms;
- allow $1 apt_var_cache_t:file read_file_perms;
+ allow $1 apt_var_cache_t:file mmap_read_file_perms;
')
########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
files_search_var($1)
allow $1 apt_var_cache_t:dir manage_dir_perms;
- allow $1 apt_var_cache_t:file manage_file_perms;
+ allow $1 apt_var_cache_t:file { manage_file_perms map };
')
########################################
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
allow $1 dpkg_script_tmp_t:file map;
')
+
+########################################
+## <summary>
+## read dpkg_script_tmp_t links
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_read_script_tmp_links',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
+')
Index: refpolicy-2.20180701/policy/modules/services/gpm.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
+++ refpolicy-2.20180701/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
')
dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+ dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
')
########################################
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
#######################################
## <summary>
+## relabel the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ logging_search_logs($1)
+ allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
## Read and write to the last logins log.
## </summary>
## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
')
########################################
+## <summary>
+## Manage the last logins log.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+ gen_require(`
+ type lastlog_t;
+ ')
+
+ allow $1 lastlog_t:file manage_file_perms;
+ logging_rw_generic_log_dirs($1)
+')
+
+########################################
## <summary>
## Execute pam programs in the pam domain.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/raid.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/raid.if
+++ refpolicy-2.20180701/policy/modules/system/raid.if
@@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
########################################
## <summary>
+## read mdadm pid files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`raid_read_mdadm_pid',`
+ gen_require(`
+ type mdadm_var_run_t;
+ ')
+
+ files_search_pids($1)
+ allow $1 mdadm_var_run_t:dir list_dir_perms;
+ allow $1 mdadm_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mdadm pid files.
## </summary>
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
optional_policy(`
nscd_use($1)
')
+ optional_policy(`
+ # for /etc/resolv.conf symlink
+ networkmanager_read_pid_files($1)
+ ')
ifdef(`init_systemd',`
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -136,6 +136,7 @@ optional_policy(`
# for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
dpkg_map_script_tmp_files(kmod_t)
+ dpkg_read_script_tmp_links(kmod_t)
')
optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
# for /etc/mtab
files_manage_etc_symlinks(systemd_tmpfiles_t)
+fs_getattr_tmpfs(systemd_tmpfiles_t)
+fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
fs_getattr_xattr_fs(systemd_tmpfiles_t)
selinux_get_fs_mount(systemd_tmpfiles_t)
selinux_search_fs(systemd_tmpfiles_t)
+auth_append_lastlog(systemd_tmpfiles_t)
auth_manage_faillog(systemd_tmpfiles_t)
+auth_manage_lastlog(systemd_tmpfiles_t)
auth_manage_login_records(systemd_tmpfiles_t)
auth_manage_var_auth(systemd_tmpfiles_t)
+auth_relabel_lastlog(systemd_tmpfiles_t)
auth_relabel_login_records(systemd_tmpfiles_t)
auth_setattr_login_records(systemd_tmpfiles_t)
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
mls_file_write_all_levels(bootloader_t)
term_getattr_all_ttys(bootloader_t)
+term_getattr_generic_ptys(bootloader_t)
term_dontaudit_manage_pty_dirs(bootloader_t)
corecmd_exec_all_executables(bootloader_t)
@@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
domain_use_interactive_fds(bootloader_t)
files_create_boot_dirs(bootloader_t)
+files_getattr_default_dirs(bootloader_t)
files_manage_boot_files(bootloader_t)
files_manage_boot_symlinks(bootloader_t)
files_read_etc_files(bootloader_t)
@@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
files_etc_filetrans_etc_runtime(bootloader_t, file)
files_dontaudit_search_home(bootloader_t)
+fs_list_hugetlbfs(bootloader_t)
fs_mount_fusefs(bootloader_t)
fs_mount_xattr_fs(bootloader_t)
fs_mounton_fusefs(bootloader_t)
@@ -172,7 +175,7 @@ ifdef(`distro_debian',`
# for apt-cache
apt_read_db(bootloader_t)
- apt_read_cache(bootloader_t)
+ apt_manage_cache(bootloader_t)
dpkg_read_db(bootloader_t)
dpkg_rw_pipes(bootloader_t)
@@ -204,6 +207,10 @@ optional_policy(`
')
optional_policy(`
+ gpm_getattr_gpmctl(bootloader_t)
+')
+
+optional_policy(`
hal_dontaudit_append_lib_files(bootloader_t)
hal_write_log(bootloader_t)
')
@@ -230,5 +237,9 @@ optional_policy(`
')
optional_policy(`
+ raid_read_mdadm_pid(bootloader_t)
+')
+
+optional_policy(`
rpm_rw_pipes(bootloader_t)
')
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] misc interfaces
2019-01-04 7:33 [PATCH] misc interfaces Russell Coker
@ 2019-01-05 18:39 ` Chris PeBenito
2019-01-06 1:45 ` Russell Coker
0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2019-01-05 18:39 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 1/4/19 2:33 AM, Russell Coker wrote:
> This patch has some small interface changes as well as the policy patches to
> use the new interfaces.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir list_dir_perms;
> - allow $1 apt_var_cache_t:file read_file_perms;
> + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> ')
>
> ########################################
> @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
>
> files_search_var($1)
> allow $1 apt_var_cache_t:dir manage_dir_perms;
> - allow $1 apt_var_cache_t:file manage_file_perms;
> + allow $1 apt_var_cache_t:file { manage_file_perms map };
> ')
I dropped these hunks. In general the map should be a separate
interface, unless you're arguing that in all cases there should be mmaping.
Otherwise the remainder is merged.
> ########################################
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -319,3 +319,21 @@ interface(`dpkg_map_script_tmp_files',`
>
> allow $1 dpkg_script_tmp_t:file map;
> ')
> +
> +########################################
> +## <summary>
> +## read dpkg_script_tmp_t links
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_read_script_tmp_links',`
> + gen_require(`
> + type dpkg_script_tmp_t;
> + ')
> +
> + allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/gpm.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
> +++ refpolicy-2.20180701/policy/modules/services/gpm.if
> @@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
> ')
>
> dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
> + dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>
> #######################################
> ## <summary>
> +## relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + logging_search_logs($1)
> + allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
> ## Read and write to the last logins log.
> ## </summary>
> ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> ')
>
> ########################################
> +## <summary>
> +## Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> + gen_require(`
> + type lastlog_t;
> + ')
> +
> + allow $1 lastlog_t:file manage_file_perms;
> + logging_rw_generic_log_dirs($1)
> +')
> +
> +########################################
> ## <summary>
> ## Execute pam programs in the pam domain.
> ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/raid.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/raid.if
> +++ refpolicy-2.20180701/policy/modules/system/raid.if
> @@ -48,6 +48,26 @@ interface(`raid_run_mdadm',`
>
> ########################################
> ## <summary>
> +## read mdadm pid files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`raid_read_mdadm_pid',`
> + gen_require(`
> + type mdadm_var_run_t;
> + ')
> +
> + files_search_pids($1)
> + allow $1 mdadm_var_run_t:dir list_dir_perms;
> + allow $1 mdadm_var_run_t:file read_file_perms;
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## mdadm pid files.
> ## </summary>
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
> @@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
> optional_policy(`
> nscd_use($1)
> ')
> + optional_policy(`
> + # for /etc/resolv.conf symlink
> + networkmanager_read_pid_files($1)
> + ')
>
> ifdef(`init_systemd',`
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -136,6 +136,7 @@ optional_policy(`
> # for postinst of a new kernel package
> dpkg_manage_script_tmp_files(kmod_t)
> dpkg_map_script_tmp_files(kmod_t)
> + dpkg_read_script_tmp_links(kmod_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -970,14 +970,19 @@ files_relabelto_etc_dirs(systemd_tmpfile
> # for /etc/mtab
> files_manage_etc_symlinks(systemd_tmpfiles_t)
>
> +fs_getattr_tmpfs(systemd_tmpfiles_t)
> +fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
> fs_getattr_xattr_fs(systemd_tmpfiles_t)
>
> selinux_get_fs_mount(systemd_tmpfiles_t)
> selinux_search_fs(systemd_tmpfiles_t)
>
> +auth_append_lastlog(systemd_tmpfiles_t)
> auth_manage_faillog(systemd_tmpfiles_t)
> +auth_manage_lastlog(systemd_tmpfiles_t)
> auth_manage_login_records(systemd_tmpfiles_t)
> auth_manage_var_auth(systemd_tmpfiles_t)
> +auth_relabel_lastlog(systemd_tmpfiles_t)
> auth_relabel_login_records(systemd_tmpfiles_t)
> auth_setattr_login_records(systemd_tmpfiles_t)
>
> Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
> @@ -95,6 +95,7 @@ mls_file_read_all_levels(bootloader_t)
> mls_file_write_all_levels(bootloader_t)
>
> term_getattr_all_ttys(bootloader_t)
> +term_getattr_generic_ptys(bootloader_t)
> term_dontaudit_manage_pty_dirs(bootloader_t)
>
> corecmd_exec_all_executables(bootloader_t)
> @@ -102,6 +103,7 @@ corecmd_exec_all_executables(bootloader_
> domain_use_interactive_fds(bootloader_t)
>
> files_create_boot_dirs(bootloader_t)
> +files_getattr_default_dirs(bootloader_t)
> files_manage_boot_files(bootloader_t)
> files_manage_boot_symlinks(bootloader_t)
> files_read_etc_files(bootloader_t)
> @@ -118,6 +120,7 @@ files_manage_etc_runtime_files(bootloade
> files_etc_filetrans_etc_runtime(bootloader_t, file)
> files_dontaudit_search_home(bootloader_t)
>
> +fs_list_hugetlbfs(bootloader_t)
> fs_mount_fusefs(bootloader_t)
> fs_mount_xattr_fs(bootloader_t)
> fs_mounton_fusefs(bootloader_t)
> @@ -172,7 +175,7 @@ ifdef(`distro_debian',`
>
> # for apt-cache
> apt_read_db(bootloader_t)
> - apt_read_cache(bootloader_t)
> + apt_manage_cache(bootloader_t)
>
> dpkg_read_db(bootloader_t)
> dpkg_rw_pipes(bootloader_t)
> @@ -204,6 +207,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + gpm_getattr_gpmctl(bootloader_t)
> +')
> +
> +optional_policy(`
> hal_dontaudit_append_lib_files(bootloader_t)
> hal_write_log(bootloader_t)
> ')
> @@ -230,5 +237,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + raid_read_mdadm_pid(bootloader_t)
> +')
> +
> +optional_policy(`
> rpm_rw_pipes(bootloader_t)
> ')
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 3+ messages in thread* Re: [PATCH] misc interfaces
2019-01-05 18:39 ` Chris PeBenito
@ 2019-01-06 1:45 ` Russell Coker
0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2019-01-06 1:45 UTC (permalink / raw)
To: Chris PeBenito; +Cc: selinux-refpolicy
On Sunday, 6 January 2019 5:39:37 AM AEDT Chris PeBenito wrote:
> On 1/4/19 2:33 AM, Russell Coker wrote:
> > This patch has some small interface changes as well as the policy patches
> > to use the new interfaces.
> >
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.if
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.if
> > @@ -171,7 +171,7 @@ interface(`apt_read_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir list_dir_perms;
> > - allow $1 apt_var_cache_t:file read_file_perms;
> > + allow $1 apt_var_cache_t:file mmap_read_file_perms;
> > ')
> >
> > ########################################
> > @@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
> >
> > files_search_var($1)
> > allow $1 apt_var_cache_t:dir manage_dir_perms;
> > - allow $1 apt_var_cache_t:file manage_file_perms;
> > + allow $1 apt_var_cache_t:file { manage_file_perms map };
> > ')
>
> I dropped these hunks. In general the map should be a separate
> interface, unless you're arguing that in all cases there should be mmaping.
>
> Otherwise the remainder is merged.
While it is possible for anyone to write code that manages the apt cache, in
general anything that touches it will do so via apt utilities or shared
objects (usually by executing /usr/bin/apt-cache which has bin_t).
Yes I think that in all cases there should be a mapping because in all likely
cases that will exist (all cases that are known to exist) the same code is
used for accessing those files.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-06 1:45 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04 7:33 [PATCH] misc interfaces Russell Coker
2019-01-05 18:39 ` Chris PeBenito
2019-01-06 1:45 ` Russell Coker
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).