Re: [PATCH] tiny stuff for today

From: Dominick Grift <dac.override@gmail.com>
To: Russell Coker <russell@coker.com.au>
Cc: "selinux-refpolicy\@vger.kernel.org" 
	<selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] tiny stuff for today
Date: Tue, 22 Jan 2019 10:17:15 +0100	[thread overview]
Message-ID: <877eexyrtw.fsf@gmail.com> (raw)
In-Reply-To: <20190122090028.GA6927@xev> (Russell Coker's message of "Tue, 22 Jan 2019 20:00:28 +1100")

Russell Coker <russell@coker.com.au> writes:

> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.

You misunderstood. This is ok to allow, but without the
nnp_nosuid_transition policy capability set these processes setting nnp
would potentially cause issues with SELinux.

>
> Lots of little stuff for system_cronjob_t.
>
> Other minor trivial changes that should be obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>  
>  	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
>  # System local policy
>  #
>  
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
>  allow system_cronjob_t self:fd use;
>  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>  allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
>  kernel_getattr_message_if(system_cronjob_t)
>  
>  kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
>  kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
>  domain_dontaudit_read_all_domains_state(system_cronjob_t)
>  
>  files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
>  files_read_etc_runtime_files(system_cronjob_t)
>  files_list_all(system_cronjob_t)
>  files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
>  libs_exec_lib_files(system_cronjob_t)
>  libs_exec_ld_so(system_cronjob_t)
>  
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
>  logging_send_audit_msgs(system_cronjob_t)
>  logging_send_syslog_msg(system_cronjob_t)
>  
> @@ -675,6 +677,9 @@ optional_policy(`
>  
>  optional_policy(`
>  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> +	# for gpg-connect-agent to access /run/user/0
> +	userdom_manage_user_runtime_dirs(system_cronjob_t)
>  ')
>  
>  ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>  
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>  
>  kernel_read_crypto_sysctls(NetworkManager_t)
>  kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
>  dev_getattr_all_chr_files(NetworkManager_t)
>  dev_rw_wireless(NetworkManager_t)
>  
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
>  domain_use_interactive_fds(NetworkManager_t)
>  domain_read_all_domains_state(NetworkManager_t)
>  
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
>  type xauth_exec_t;
>  typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>  typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
>  userdom_user_application_domain(xauth_t, xauth_exec_t)
>  
>  type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
>  userdom_read_user_tmp_files(xauth_t)
>  
>  xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>  
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_nnp_transition(unconfined_t)
>  	dpkg_run(unconfined_t, unconfined_r)
>  ')
>  
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>  
>  fs_getattr_xattr_fs(kmod_t)
>  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>  
>  init_rw_initctl(kmod_t)
>  init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
>  fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>  fs_mount_tmpfs(systemd_nspawn_t)
>  fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>  
>  term_getattr_generic_ptys(systemd_nspawn_t)
>  term_getattr_pty_fs(systemd_nspawn_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift