SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
* [PATCH] misc apps and admin patches
@ 2021-01-20 10:12 Russell Coker
  2021-01-20 13:28 ` Dominick Grift
  0 siblings, 1 reply; 9+ messages in thread
From: Russell Coker @ 2021-01-20 10:12 UTC (permalink / raw)
  To: selinux-refpolicy

Patches for apt unattended upgrades and dbus, logrotate certs and samba,
games_t, mplayer/mencoder, and sysadm_t dbus.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210120/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
 ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
Index: refpolicy-2.20210120/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20210120/policy/modules/admin/apt.te
@@ -155,6 +155,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(apt_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(apt_t)
 ')
 
@@ -169,5 +173,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(apt_t)
+')
+
+optional_policy(`
 	unconfined_domain(apt_t)
 ')
Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
+
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
 logging_exec_all_logs(logrotate_t)
 
+miscfiles_read_generic_certs(logrotate_t)
 miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_domtrans_smbcontrol(logrotate_t)
 	samba_exec_log(logrotate_t)
 ')
 
Index: refpolicy-2.20210120/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210120/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
 
 can_exec(games_t, games_exec_t)
 
+kernel_read_kernel_sysctls(games_t)
 kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
 
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
 
 logging_dontaudit_search_logs(games_t)
 
+miscfiles_read_generic_certs(games_t)
 miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
@@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
 ')
 
 optional_policy(`
+	alsa_read_config(games_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(games_t)
 	dbus_connect_all_session_bus(games_t)
+	dbus_read_lib_files(games_t)
+	dbus_system_bus_client(games_t)
 ')
 
 optional_policy(`
@@ -175,6 +184,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xdg_read_config_files(games_t)
+	xdg_read_data_files(games_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
@@ -38,7 +38,7 @@ interface(`mplayer_role',`
 	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
 	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
 
-	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
 	ps_process_pattern($2, { mplayer_t mencoder_t })
 
 	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
+++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(mencoder_t)
 ')
 
+tunable_policy(`xserver_allow_dri',`
+	dev_rw_dri(mplayer_t)
+')
+
 ########################################
 #
 # Mplayer local policy
 #
 
-allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:process { signal_perms getsched setsched };
 allow mplayer_t self:fifo_file rw_fifo_file_perms;
 allow mplayer_t self:sem create_sem_perms;
 allow mplayer_t self:udp_socket create_socket_perms;
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_crypto_sysctls(mplayer_t)
 kernel_read_system_state(mplayer_t)
 kernel_read_kernel_sysctls(mplayer_t)
 
Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
@@ -530,6 +530,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(sysadm_t)
+')
+
+optional_policy(`
 	inn_admin(sysadm_t, sysadm_r)
 ')
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 10:12 [PATCH] misc apps and admin patches Russell Coker
@ 2021-01-20 13:28 ` Dominick Grift
  2021-01-20 13:36   ` Russell Coker
  0 siblings, 1 reply; 9+ messages in thread
From: Dominick Grift @ 2021-01-20 13:28 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> Patches for apt unattended upgrades and dbus, logrotate certs and samba,
> games_t, mplayer/mencoder, and sysadm_t dbus.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210120/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
>  /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
>  /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>  
>  ifndef(`distro_redhat',`
>  /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
>  /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>  
>  /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
>  /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210120/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
>  	nis_use_ypbind(apt_t)
>  ')
>  
> @@ -169,5 +173,9 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
>  	unconfined_domain(apt_t)
>  ')
> Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>  
>  	dpkg_read_db(bootloader_t)
>  	dpkg_rw_pipes(bootloader_t)
> +
> +	apt_use_fds(bootloader_t)
> +	apt_use_ptys(bootloader_t)
>  ')
>  
>  ifdef(`distro_redhat',`
> Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
>  logging_send_audit_msgs(logrotate_t)
>  logging_exec_all_logs(logrotate_t)
>  
> +miscfiles_read_generic_certs(logrotate_t)
>  miscfiles_read_localization(logrotate_t)
>  
>  seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	samba_domtrans_smbcontrol(logrotate_t)
>  	samba_exec_log(logrotate_t)
>  ')
>  
> Index: refpolicy-2.20210120/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210120/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>  
>  can_exec(games_t, games_exec_t)
>  
> +kernel_read_kernel_sysctls(games_t)
>  kernel_read_system_state(games_t)
>  
>  corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>  
>  corenet_all_recvfrom_netlabel(games_t)
>  corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>  
>  logging_dontaudit_search_logs(games_t)
>  
> +miscfiles_read_generic_certs(games_t)
>  miscfiles_read_man_pages(games_t)
>  miscfiles_read_localization(games_t)
>  
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
>  ')
>  
>  optional_policy(`
> +	alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
>  	dbus_all_session_bus_client(games_t)
>  	dbus_connect_all_session_bus(games_t)
> +	dbus_read_lib_files(games_t)
> +	dbus_system_bus_client(games_t)
>  ')
>  
>  optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	xdg_read_config_files(games_t)
> +	xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
>  	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>  	xserver_create_xdm_tmp_sockets(games_t)
>  	xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
>  	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
>  	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>  
> -	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> +	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
>  	ps_process_pattern($2, { mplayer_t mencoder_t })
>  
>  	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
>  	fs_manage_cifs_symlinks(mencoder_t)
>  ')
>  
> +tunable_policy(`xserver_allow_dri',`
> +	dev_rw_dri(mplayer_t)
> +')
> +
>  ########################################
>  #
>  # Mplayer local policy
>  #
>  
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
>  allow mplayer_t self:fifo_file rw_fifo_file_perms;
>  allow mplayer_t self:sem create_sem_perms;
>  allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
>  kernel_dontaudit_list_unlabeled(mplayer_t)
>  kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
>  kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
>  kernel_read_system_state(mplayer_t)
>  kernel_read_kernel_sysctls(mplayer_t)
>  
> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
> @@ -530,6 +530,10 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	init_dbus_chat(sysadm_t)

Can you explain why you added this?

> +')
> +
> +optional_policy(`
>  	inn_admin(sysadm_t, sysadm_r)
>  ')
>  
>

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 13:28 ` Dominick Grift
@ 2021-01-20 13:36   ` Russell Coker
  2021-01-20 15:03     ` Dominick Grift
  2021-01-20 15:06     ` Dominick Grift
  0 siblings, 2 replies; 9+ messages in thread
From: Russell Coker @ 2021-01-20 13:36 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
> > optional_policy(`
> > +       init_dbus_chat(sysadm_t)
> 
> Can you explain why you added this?

Apart from the obvious that some program wanted it, no.  I'll remove that bit 
and add it again with a note if it's necessary.  Did you like the rest of that 
patch?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 13:36   ` Russell Coker
@ 2021-01-20 15:03     ` Dominick Grift
  2021-01-20 15:06     ` Dominick Grift
  1 sibling, 0 replies; 9+ messages in thread
From: Dominick Grift @ 2021-01-20 15:03 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > +       init_dbus_chat(sysadm_t)
>> 
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
> and add it again with a note if it's necessary.  Did you like the rest of that 
> patch?

Yes, if i didnt add any more comments then i liked the remainder of the
patch. I might have overlooked things though because that was quite a
load you dumped there.


-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 13:36   ` Russell Coker
  2021-01-20 15:03     ` Dominick Grift
@ 2021-01-20 15:06     ` Dominick Grift
  2021-01-20 15:08       ` Dominick Grift
  2021-01-20 23:18       ` Russell Coker
  1 sibling, 2 replies; 9+ messages in thread
From: Dominick Grift @ 2021-01-20 15:06 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Russell Coker <russell@coker.com.au> writes:

> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>> > optional_policy(`
>> > +       init_dbus_chat(sysadm_t)
>> 
>> Can you explain why you added this?
>
> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
> and add it again with a note if it's necessary.  Did you like the rest of that 
> patch?

Yes and thats my beef with this. "some program wanted it". sysadm_t is a
shell domain. Any programs that need this should, in my view, ideally be
targeted. If you dont want that then use unconfined_t instead and be
done.

I dont want sysadm_t to become a "drunken unconfined_t".

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 15:06     ` Dominick Grift
@ 2021-01-20 15:08       ` Dominick Grift
  2021-01-20 23:18       ` Russell Coker
  1 sibling, 0 replies; 9+ messages in thread
From: Dominick Grift @ 2021-01-20 15:08 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy

Dominick Grift <dominick.grift@defensec.nl> writes:

> Russell Coker <russell@coker.com.au> writes:
>
>> On Thursday, 21 January 2021 12:28:49 AM AEDT Dominick Grift wrote:
>>> > optional_policy(`
>>> > +       init_dbus_chat(sysadm_t)
>>> 
>>> Can you explain why you added this?
>>
>> Apart from the obvious that some program wanted it, no.  I'll remove that bit 
>> and add it again with a note if it's necessary.  Did you like the rest of that 
>> patch?
>
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
>
> I dont want sysadm_t to become a "drunken unconfined_t".

But also if this was added to support resolving dynamic users with
systemd then this is no longer needed because resolving of dynamic users
with systemd is no longer done with dbus. It is using varlink for that
now.

-- 
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift

^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-01-20 15:06     ` Dominick Grift
  2021-01-20 15:08       ` Dominick Grift
@ 2021-01-20 23:18       ` Russell Coker
  1 sibling, 0 replies; 9+ messages in thread
From: Russell Coker @ 2021-01-20 23:18 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Thursday, 21 January 2021 2:06:25 AM AEDT Dominick Grift wrote:
> >> Can you explain why you added this?
> > 
> > Apart from the obvious that some program wanted it, no.  I'll remove that
> > bit and add it again with a note if it's necessary.  Did you like the
> > rest of that patch?
> 
> Yes and thats my beef with this. "some program wanted it". sysadm_t is a
> shell domain. Any programs that need this should, in my view, ideally be
> targeted. If you dont want that then use unconfined_t instead and be
> done.
> 
> I dont want sysadm_t to become a "drunken unconfined_t".

Fair point.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 9+ messages in thread

* Re: [PATCH] misc apps and admin patches
  2021-02-02 14:55 Russell Coker
@ 2021-02-02 18:33 ` Chris PeBenito
  0 siblings, 0 replies; 9+ messages in thread
From: Chris PeBenito @ 2021-02-02 18:33 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 2/2/21 9:55 AM, Russell Coker wrote:
> Send again without the section Dominick didn't like.  I think it's ready for inclusion.
> 
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> Index: refpolicy-2.20210126/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210126/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
>   /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>   
>   ifndef(`distro_redhat',`
>   /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
>   /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
>   
>   /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
>   /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210126/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210126/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
>   	nis_use_ypbind(apt_t)
>   ')
>   
> @@ -169,5 +173,9 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
>   	unconfined_domain(apt_t)
>   ')
> Index: refpolicy-2.20210126/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210126/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>   
>   	dpkg_read_db(bootloader_t)
>   	dpkg_rw_pipes(bootloader_t)
> +
> +	apt_use_fds(bootloader_t)
> +	apt_use_ptys(bootloader_t)
>   ')
>   
>   ifdef(`distro_redhat',`
> Index: refpolicy-2.20210126/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210126/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
>   logging_send_audit_msgs(logrotate_t)
>   logging_exec_all_logs(logrotate_t)
>   
> +miscfiles_read_generic_certs(logrotate_t)
>   miscfiles_read_localization(logrotate_t)
>   
>   seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	samba_domtrans_smbcontrol(logrotate_t)
>   	samba_exec_log(logrotate_t)
>   ')
>   
> Index: refpolicy-2.20210126/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210126/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>   
>   can_exec(games_t, games_exec_t)
>   
> +kernel_read_kernel_sysctls(games_t)
>   kernel_read_system_state(games_t)
>   
>   corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>   
>   corenet_all_recvfrom_netlabel(games_t)
>   corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>   
>   logging_dontaudit_search_logs(games_t)
>   
> +miscfiles_read_generic_certs(games_t)
>   miscfiles_read_man_pages(games_t)
>   miscfiles_read_localization(games_t)
>   
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
>   ')
>   
>   optional_policy(`
> +	alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
>   	dbus_all_session_bus_client(games_t)
>   	dbus_connect_all_session_bus(games_t)
> +	dbus_read_lib_files(games_t)
> +	dbus_system_bus_client(games_t)
>   ')
>   
>   optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	xdg_read_config_files(games_t)
> +	xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
>   	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
>   	xserver_create_xdm_tmp_sockets(games_t)
>   	xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
>   	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
>   	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>   
> -	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> +	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
>   	ps_process_pattern($2, { mplayer_t mencoder_t })
>   
>   	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
>   	fs_manage_cifs_symlinks(mencoder_t)
>   ')
>   
> +tunable_policy(`xserver_allow_dri',`
> +	dev_rw_dri(mplayer_t)
> +')
> +
>   ########################################
>   #
>   # Mplayer local policy
>   #
>   
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
>   allow mplayer_t self:fifo_file rw_fifo_file_perms;
>   allow mplayer_t self:sem create_sem_perms;
>   allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
>   kernel_dontaudit_list_unlabeled(mplayer_t)
>   kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
>   kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
>   kernel_read_system_state(mplayer_t)
>   kernel_read_kernel_sysctls(mplayer_t)

Merged.  Some lines were moved.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 9+ messages in thread

* [PATCH] misc apps and admin patches
@ 2021-02-02 14:55 Russell Coker
  2021-02-02 18:33 ` Chris PeBenito
  0 siblings, 1 reply; 9+ messages in thread
From: Russell Coker @ 2021-02-02 14:55 UTC (permalink / raw)
  To: selinux-refpolicy

Send again without the section Dominick didn't like.  I think it's ready for inclusion.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210126/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20210126/policy/modules/admin/apt.fc
@@ -5,6 +5,8 @@
 /usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
 
 ifndef(`distro_redhat',`
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
@@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
 /var/lock/aptitude	gen_context(system_u:object_r:apt_lock_t,s0)
 
 /var/log/aptitude.*	gen_context(system_u:object_r:apt_var_log_t,s0)
-
+/var/log/unattended-upgrades(/.*)	gen_context(system_u:object_r:apt_var_log_t,s0)
 /var/log/apt(/.*)?	gen_context(system_u:object_r:apt_var_log_t,s0)
Index: refpolicy-2.20210126/policy/modules/admin/apt.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/apt.te
+++ refpolicy-2.20210126/policy/modules/admin/apt.te
@@ -155,6 +155,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	networkmanager_dbus_chat(apt_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(apt_t)
 ')
 
@@ -169,5 +173,9 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(apt_t)
+')
+
+optional_policy(`
 	unconfined_domain(apt_t)
 ')
Index: refpolicy-2.20210126/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20210126/policy/modules/admin/bootloader.te
@@ -186,6 +186,9 @@ ifdef(`distro_debian',`
 
 	dpkg_read_db(bootloader_t)
 	dpkg_rw_pipes(bootloader_t)
+
+	apt_use_fds(bootloader_t)
+	apt_use_ptys(bootloader_t)
 ')
 
 ifdef(`distro_redhat',`
Index: refpolicy-2.20210126/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20210126/policy/modules/admin/logrotate.te
@@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
 logging_send_audit_msgs(logrotate_t)
 logging_exec_all_logs(logrotate_t)
 
+miscfiles_read_generic_certs(logrotate_t)
 miscfiles_read_localization(logrotate_t)
 
 seutil_dontaudit_read_config(logrotate_t)
@@ -242,6 +243,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	samba_domtrans_smbcontrol(logrotate_t)
 	samba_exec_log(logrotate_t)
 ')
 
Index: refpolicy-2.20210126/policy/modules/apps/games.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/games.te
+++ refpolicy-2.20210126/policy/modules/apps/games.te
@@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
 
 can_exec(games_t, games_exec_t)
 
+kernel_read_kernel_sysctls(games_t)
 kernel_read_system_state(games_t)
 
 corecmd_exec_bin(games_t)
+corecmd_exec_shell(games_t)
 
 corenet_all_recvfrom_netlabel(games_t)
 corenet_tcp_sendrecv_generic_if(games_t)
@@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
 
 logging_dontaudit_search_logs(games_t)
 
+miscfiles_read_generic_certs(games_t)
 miscfiles_read_man_pages(games_t)
 miscfiles_read_localization(games_t)
 
@@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
 ')
 
 optional_policy(`
+	alsa_read_config(games_t)
+')
+
+optional_policy(`
 	dbus_all_session_bus_client(games_t)
 	dbus_connect_all_session_bus(games_t)
+	dbus_read_lib_files(games_t)
+	dbus_system_bus_client(games_t)
 ')
 
 optional_policy(`
@@ -175,6 +184,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xdg_read_config_files(games_t)
+	xdg_read_data_files(games_t)
+')
+
+optional_policy(`
 	xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
 	xserver_create_xdm_tmp_sockets(games_t)
 	xserver_read_xdm_lib_files(games_t)
Index: refpolicy-2.20210126/policy/modules/apps/mplayer.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.if
+++ refpolicy-2.20210126/policy/modules/apps/mplayer.if
@@ -38,7 +38,7 @@ interface(`mplayer_role',`
 	domtrans_pattern($2, mencoder_exec_t, mencoder_t)
 	domtrans_pattern($2, mplayer_exec_t, mplayer_t)
 
-	allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
+	allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
 	ps_process_pattern($2, { mplayer_t mencoder_t })
 
 	allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
Index: refpolicy-2.20210126/policy/modules/apps/mplayer.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.te
+++ refpolicy-2.20210126/policy/modules/apps/mplayer.te
@@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
 	fs_manage_cifs_symlinks(mencoder_t)
 ')
 
+tunable_policy(`xserver_allow_dri',`
+	dev_rw_dri(mplayer_t)
+')
+
 ########################################
 #
 # Mplayer local policy
 #
 
-allow mplayer_t self:process { signal_perms getsched };
+allow mplayer_t self:process { signal_perms getsched setsched };
 allow mplayer_t self:fifo_file rw_fifo_file_perms;
 allow mplayer_t self:sem create_sem_perms;
 allow mplayer_t self:udp_socket create_socket_perms;
@@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
 kernel_dontaudit_list_unlabeled(mplayer_t)
 kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
 kernel_dontaudit_read_unlabeled_files(mplayer_t)
+kernel_read_crypto_sysctls(mplayer_t)
 kernel_read_system_state(mplayer_t)
 kernel_read_kernel_sysctls(mplayer_t)
 

^ permalink raw reply	[flat|nested] 9+ messages in thread

end of thread, back to index

Thread overview: 9+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-20 10:12 [PATCH] misc apps and admin patches Russell Coker
2021-01-20 13:28 ` Dominick Grift
2021-01-20 13:36   ` Russell Coker
2021-01-20 15:03     ` Dominick Grift
2021-01-20 15:06     ` Dominick Grift
2021-01-20 15:08       ` Dominick Grift
2021-01-20 23:18       ` Russell Coker
2021-02-02 14:55 Russell Coker
2021-02-02 18:33 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git