selinux-refpolicy.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] yet another little patch
@ 2019-01-28  8:48 Russell Coker
  2019-01-29 23:47 ` Chris PeBenito
  0 siblings, 1 reply; 3+ messages in thread
From: Russell Coker @ 2019-01-28  8:48 UTC (permalink / raw)
  To: selinux-refpolicy

This should all be obvious.

Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
 corenet_udp_sendrecv_generic_node(system_cronjob_t)
 corenet_tcp_sendrecv_all_ports(system_cronjob_t)
 corenet_udp_sendrecv_all_ports(system_cronjob_t)
+corenet_tcp_connect_tor_port(system_cronjob_t)
 
 dev_getattr_all_blk_files(system_cronjob_t)
 dev_getattr_all_chr_files(system_cronjob_t)
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
 kernel_getattr_message_if(devicekit_disk_t)
 kernel_list_unlabeled(devicekit_disk_t)
 kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
+kernel_read_crypto_sysctls(devicekit_disk_t)
 kernel_read_fs_sysctls(devicekit_disk_t)
 kernel_read_network_state(devicekit_disk_t)
 kernel_read_software_raid_state(devicekit_disk_t)
@@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
 dev_getattr_mtrr_dev(devicekit_disk_t)
 dev_getattr_usbfs_dirs(devicekit_disk_t)
 dev_manage_generic_files(devicekit_disk_t)
+dev_read_rand(devicekit_disk_t)
 dev_read_urand(devicekit_disk_t)
 dev_rw_sysfs(devicekit_disk_t)
 
Index: refpolicy-2.20180701/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20180701/policy/modules/system/lvm.te
@@ -308,6 +308,7 @@ init_use_fds(lvm_t)
 init_dontaudit_getattr_initctl(lvm_t)
 init_use_script_ptys(lvm_t)
 init_read_script_state(lvm_t)
+init_read_script_tmp_files(lvm_t)
 # for systemd-cryptsetup to talk to /run/systemd/journal/socket
 init_stream_connect(lvm_t)
 
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
 
 optional_policy(`
 	devicekit_read_pid_files(ifconfig_t)
+	devicekit_append_inherited_log_files(ifconfig_t)
 ')
 
 optional_policy(`

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] yet another little patch
  2019-01-28  8:48 [PATCH] yet another little patch Russell Coker
@ 2019-01-29 23:47 ` Chris PeBenito
  2019-01-30 12:54   ` Russell Coker
  0 siblings, 1 reply; 3+ messages in thread
From: Chris PeBenito @ 2019-01-29 23:47 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/28/19 3:48 AM, Russell Coker wrote:
> This should all be obvious.
> 
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -517,6 +517,7 @@ corenet_tcp_sendrecv_generic_node(system
>   corenet_udp_sendrecv_generic_node(system_cronjob_t)
>   corenet_tcp_sendrecv_all_ports(system_cronjob_t)
>   corenet_udp_sendrecv_all_ports(system_cronjob_t)
> +corenet_tcp_connect_tor_port(system_cronjob_t)

Everything but this hunk is merged, as it is not obvious to me.  Given 
the other networking rules, I would have guessed something like 
tcp_connect to all ports.  I can't infer the relevance of tor by itself.


>   dev_getattr_all_blk_files(system_cronjob_t)
>   dev_getattr_all_chr_files(system_cronjob_t)
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -91,6 +91,7 @@ files_pid_filetrans(devicekit_disk_t, de
>   kernel_getattr_message_if(devicekit_disk_t)
>   kernel_list_unlabeled(devicekit_disk_t)
>   kernel_dontaudit_getattr_unlabeled_files(devicekit_disk_t)
> +kernel_read_crypto_sysctls(devicekit_disk_t)
>   kernel_read_fs_sysctls(devicekit_disk_t)
>   kernel_read_network_state(devicekit_disk_t)
>   kernel_read_software_raid_state(devicekit_disk_t)
> @@ -108,6 +109,7 @@ dev_getattr_all_chr_files(devicekit_disk
>   dev_getattr_mtrr_dev(devicekit_disk_t)
>   dev_getattr_usbfs_dirs(devicekit_disk_t)
>   dev_manage_generic_files(devicekit_disk_t)
> +dev_read_rand(devicekit_disk_t)
>   dev_read_urand(devicekit_disk_t)
>   dev_rw_sysfs(devicekit_disk_t)
>   
> Index: refpolicy-2.20180701/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20180701/policy/modules/system/lvm.te
> @@ -308,6 +308,7 @@ init_use_fds(lvm_t)
>   init_dontaudit_getattr_initctl(lvm_t)
>   init_use_script_ptys(lvm_t)
>   init_read_script_state(lvm_t)
> +init_read_script_tmp_files(lvm_t)
>   # for systemd-cryptsetup to talk to /run/systemd/journal/socket
>   init_stream_connect(lvm_t)
>   
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -373,6 +373,7 @@ ifdef(`hide_broken_symptoms',`
>   
>   optional_policy(`
>   	devicekit_read_pid_files(ifconfig_t)
> +	devicekit_append_inherited_log_files(ifconfig_t)
>   ')
>   
>   optional_policy(`
> 


-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] yet another little patch
  2019-01-29 23:47 ` Chris PeBenito
@ 2019-01-30 12:54   ` Russell Coker
  0 siblings, 0 replies; 3+ messages in thread
From: Russell Coker @ 2019-01-30 12:54 UTC (permalink / raw)
  To: Chris PeBenito; +Cc: selinux-refpolicy

On Wednesday, 30 January 2019 10:47:06 AM AEDT Chris PeBenito wrote:
> > +corenet_tcp_connect_tor_port(system_cronjob_t)
> 
> Everything but this hunk is merged, as it is not obvious to me.  Given
> the other networking rules, I would have guessed something like
> tcp_connect to all ports.  I can't infer the relevance of tor by itself.

It allows cron jobs to talk to tor.

One example is the Debian package "popcon" which tracks the popularity of 
Debian packages.  That will upload it's data via tor by default if possible.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2019-01-30 13:25 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-28  8:48 [PATCH] yet another little patch Russell Coker
2019-01-29 23:47 ` Chris PeBenito
2019-01-30 12:54   ` Russell Coker

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).