From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <SRS0=EjqS=P6=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM,
	HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLOCKED
	autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 7A8CDC282C3
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 22 Jan 2019 09:17:20 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 40A6620823
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 22 Jan 2019 09:17:20 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (2048-bit key) header.d=gmail.com header.i=@gmail.com header.b="ttCwpHtv"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727721AbfAVJRU (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Tue, 22 Jan 2019 04:17:20 -0500
Received: from mail-ed1-f68.google.com ([209.85.208.68]:38229 "EHLO
        mail-ed1-f68.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1727318AbfAVJRT (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 22 Jan 2019 04:17:19 -0500
Received: by mail-ed1-f68.google.com with SMTP id h50so18692072ede.5
        for <selinux-refpolicy@vger.kernel.org>; Tue, 22 Jan 2019 01:17:17 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=gmail.com; s=20161025;
        h=from:to:cc:subject:references:date:in-reply-to:message-id
         :user-agent:mime-version;
        bh=on2IrZngKy/Pk9EQYkwOmIZRIsPOavN2aBGy/57NzQk=;
        b=ttCwpHtvU79Dkhpf1wXUhgmOgV7HQwE9hoJ80u1qbEj/ZJa6Nkdonm/EXRkHcvZOuu
         nrSKUBYv0i4Rq6jNult4hkXsnBvtT8YwErzArv/ckr+KOkPknqo4OZz+/few2iwRcL3V
         UMgIr9eymp0XMR7mwUd15Y/12dxCzjlNQJIV1rzOhD/GA1kHSB+W9OyAFJWwaRqE56vy
         uL3JjrlFstwNTjKVoUE1LI/3q7paqJgGhgdvu/k/nFOrslnl1A2n0eLOhYfwlBPilsxL
         t4EdoEQXPKoFQXDj4NF+1t/ZVftYW5gf9fKLxinO+/S9sgtMcVhhW3NQUo5ZG0lFDKsR
         GJbw==
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:from:to:cc:subject:references:date:in-reply-to
         :message-id:user-agent:mime-version;
        bh=on2IrZngKy/Pk9EQYkwOmIZRIsPOavN2aBGy/57NzQk=;
        b=PzBLr/0sYGL+1+0z20B+ybAxD8nF6apSGU0C5J3TYm99sjUxwPaixNSWM2O3mps28+
         knc+AIfHgLKEHkkIa8VDvXyOUs/oj/eZ9FEJQKO1kq6D3M/39NUYThAHvWOa6j700jG8
         O0DMMHWr7TKncrog2GIx5P+XMGZZz8atRCJ/Awbimx5NAj2mU2gw2jxsF+SwCobXjw6Y
         HGuPUKO5a0YA4Sc1ZKUzMP3ss1YKSooxPvwCjtryfC9NFy4Au1J3HwJjzbl75QuQ49O4
         x/hVa/UJXDYUnWemW6t9CkoOUWxAeNcmxrSUWqpJ5QmYcPnsqWz16cNLSa72mXuowSz4
         MmAQ==
X-Gm-Message-State: AJcUukebN9M9bO8MwICVEq7ujs0MJmZdgU/uJaPdMw31pAOL0iGgOfo0
        EbzQliGMJpkoHUJ0rE1y3RlkGtSP
X-Google-Smtp-Source: ALg8bN6sTQq6p3yyEF2VDMHQ4lizE+g8aydQmPSXvS+kFsxRnT9XgVPvzzLzZwUlnwzGk3kIeWM7kQ==
X-Received: by 2002:a50:b902:: with SMTP id m2mr28969383ede.108.1548148636826;
        Tue, 22 Jan 2019 01:17:16 -0800 (PST)
Received: from brutus ([2001:985:d55d::438])
        by smtp.gmail.com with ESMTPSA id m44sm10046726edm.54.2019.01.22.01.17.15
        (version=TLS1_2 cipher=ECDHE-RSA-CHACHA20-POLY1305 bits=256/256);
        Tue, 22 Jan 2019 01:17:16 -0800 (PST)
From:   Dominick Grift <dac.override@gmail.com>
To:     Russell Coker <russell@coker.com.au>
Cc:     "selinux-refpolicy\@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: Re: [PATCH] tiny stuff for today
References: <20190122090028.GA6927@xev>
Date:   Tue, 22 Jan 2019 10:17:15 +0100
In-Reply-To: <20190122090028.GA6927@xev> (Russell Coker's message of "Tue, 22
        Jan 2019 20:00:28 +1100")
Message-ID: <877eexyrtw.fsf@gmail.com>
User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/26.1 (gnu/linux)
MIME-Version: 1.0
Content-Type: text/plain
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Russell Coker <russell@coker.com.au> writes:

> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.

You misunderstood. This is ok to allow, but without the
nnp_nosuid_transition policy capability set these processes setting nnp
would potentially cause issues with SELinux.

>
> Lots of little stuff for system_cronjob_t.
>
> Other minor trivial changes that should be obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>  
>  	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
>  # System local policy
>  #
>  
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
>  allow system_cronjob_t self:fd use;
>  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>  allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
>  kernel_getattr_message_if(system_cronjob_t)
>  
>  kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
>  kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
>  domain_dontaudit_read_all_domains_state(system_cronjob_t)
>  
>  files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
>  files_read_etc_runtime_files(system_cronjob_t)
>  files_list_all(system_cronjob_t)
>  files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
>  libs_exec_lib_files(system_cronjob_t)
>  libs_exec_ld_so(system_cronjob_t)
>  
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
>  logging_send_audit_msgs(system_cronjob_t)
>  logging_send_syslog_msg(system_cronjob_t)
>  
> @@ -675,6 +677,9 @@ optional_policy(`
>  
>  optional_policy(`
>  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> +	# for gpg-connect-agent to access /run/user/0
> +	userdom_manage_user_runtime_dirs(system_cronjob_t)
>  ')
>  
>  ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>  
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>  
>  kernel_read_crypto_sysctls(NetworkManager_t)
>  kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
>  dev_getattr_all_chr_files(NetworkManager_t)
>  dev_rw_wireless(NetworkManager_t)
>  
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
>  domain_use_interactive_fds(NetworkManager_t)
>  domain_read_all_domains_state(NetworkManager_t)
>  
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
>  type xauth_exec_t;
>  typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>  typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
>  userdom_user_application_domain(xauth_t, xauth_exec_t)
>  
>  type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
>  userdom_read_user_tmp_files(xauth_t)
>  
>  xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>  
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_nnp_transition(unconfined_t)
>  	dpkg_run(unconfined_t, unconfined_r)
>  ')
>  
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>  
>  fs_getattr_xattr_fs(kmod_t)
>  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>  
>  init_rw_initctl(kmod_t)
>  init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
>  fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>  fs_mount_tmpfs(systemd_nspawn_t)
>  fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>  
>  term_getattr_generic_ptys(systemd_nspawn_t)
>  term_getattr_pty_fs(systemd_nspawn_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift