SELinux-Refpolicy Archive on lore.kernel.org
 help / color / Atom feed
From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: strict patch again with controversial sections removed
Date: Tue, 14 Apr 2020 10:52:29 -0400
Message-ID: <8a7a5e84-669c-f4d6-2758-c256150920b0@ieee.org> (raw)
In-Reply-To: <20200410065749.GA113012@xev>

On 4/10/20 2:57 AM, Russell Coker wrote:
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> 
> Index: refpolicy-2.20200410/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20200410/policy/modules/system/userdomain.if
> @@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
>   	dontaudit $1_t user_tty_device_t:chr_file ioctl;
>   
>   	kernel_read_kernel_sysctls($1_t)
> +	kernel_read_crypto_sysctls($1_t)
> +	kernel_read_vm_overcommit_sysctl($1_t)
>   	kernel_dontaudit_list_unlabeled($1_t)
>   	kernel_dontaudit_getattr_unlabeled_files($1_t)
>   	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
> Index: refpolicy-2.20200410/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20200410/policy/modules/roles/sysadm.te
> @@ -57,6 +57,9 @@ selinux_read_policy(sysadm_t)
>   userdom_manage_user_home_dirs(sysadm_t)
>   userdom_home_filetrans_user_home_dir(sysadm_t)
>   
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)

Should go up in the init_systemd block.

>   ifdef(`direct_sysadm_daemon',`
>   	optional_policy(`
>   		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1119,6 +1122,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
>   	tboot_run_txtstat(sysadm_t, sysadm_r)
>   ')
>   
> @@ -1186,6 +1193,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)
>   	usbmodules_run(sysadm_t, sysadm_r)
>   ')
>   
> Index: refpolicy-2.20200410/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200410/policy/modules/services/xserver.if
> @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
>   	xserver_xsession_entry_type($2)
>   	xserver_dontaudit_write_log($2)
>   	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>   	# certain apps want to read xdm.pid file
>   	xserver_read_xdm_pid($2)
>   	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -140,7 +141,7 @@ interface(`xserver_role',`
>   	gen_require(`
>   		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>   		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>   	')
>   
>   	xserver_restricted_role($1, $2)
> @@ -183,6 +184,8 @@ interface(`xserver_role',`
>   
>   	xserver_read_xkb_libs($2)
>   
> +	allow $2 xdm_t:unix_stream_socket accept;
> +
>   	optional_policy(`
>   		xdg_manage_all_cache($2)
>   		xdg_relabel_all_cache($2)
> @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
>   	allow $1 xkb_var_lib_t:dir list_dir_perms;
>   	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>   	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>   ')
>   
>   ########################################
> Index: refpolicy-2.20200410/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20200410/policy/modules/services/dbus.if
> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>   
>   	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>   	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;

Should go down in the next huk with the sigkill line.

>   	allow $3 $1_dbusd_t:fd use;
>   
>   	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
> @@ -99,9 +100,13 @@ template(`dbus_role_template',`
>   
>   	allow $1_dbusd_t $3:process sigkill;
>   
> +	allow $1_dbusd_t self:process getcap;
> +
>   	corecmd_bin_domtrans($1_dbusd_t, $3)
>   	corecmd_shell_domtrans($1_dbusd_t, $3)
>   
> +	dev_read_sysfs($1_dbusd_t)
> +
>   	auth_use_nsswitch($1_dbusd_t)
>   
>   	ifdef(`hide_broken_symptoms',`
> @@ -109,8 +114,17 @@ template(`dbus_role_template',`
>   	')
>   
>   	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)
> +	')
> +
> +	optional_policy(`
>   		systemd_read_logind_pids($1_dbusd_t)
>   	')
> +
> +	optional_policy(`
> +		xdg_read_data_files($1_dbusd_t)
> +	')
>   ')
>   
>   #######################################
> Index: refpolicy-2.20200410/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200410/policy/modules/services/ssh.if
> @@ -437,6 +437,7 @@ template(`ssh_role_template',`
>   		xserver_use_xdm_fds($1_ssh_agent_t)
>   		xserver_rw_xdm_pipes($1_ssh_agent_t)
>   		xserver_sigchld_xdm($1_ssh_agent_t)
> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
>   	')
>   ')
>   
> Index: refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
>   #
>   # bin_t is the type of files in the system bin/sbin directories.
>   #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
>   corecmd_executable_file(bin_t)
>   dev_associate(bin_t)	#For /dev/MAKEDEV
>   
> Index: refpolicy-2.20200410/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20200410/policy/modules/system/systemd.te
> @@ -38,10 +38,6 @@ type systemd_activate_t;
>   type systemd_activate_exec_t;
>   init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>   
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
>   type systemd_backlight_t;
>   type systemd_backlight_exec_t;
>   init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1259,6 +1255,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>   ')
>   
>   optional_policy(`
> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>   	dbus_read_lib_files(systemd_tmpfiles_t)
>   	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>   ')
> Index: refpolicy-2.20200410/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20200410/policy/modules/services/cron.te
> @@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t)
>   kernel_getattr_message_if(system_cronjob_t)
>   
>   kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_fs_sysctls(system_cronjob_t)
>   kernel_read_irq_sysctls(system_cronjob_t)
>   kernel_read_kernel_sysctls(system_cronjob_t)
>   kernel_read_network_state(system_cronjob_t)
> Index: refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/apps/pulseaudio.te
> +++ refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> @@ -157,6 +157,7 @@ userdom_search_user_home_content(pulseau
>   userdom_manage_user_tmp_dirs(pulseaudio_t)
>   userdom_manage_user_tmp_files(pulseaudio_t)
>   userdom_manage_user_tmp_sockets(pulseaudio_t)
> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
>   
>   tunable_policy(`pulseaudio_execmem',`
>   	allow pulseaudio_t self:process execmem;
> 


-- 
Chris PeBenito

      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-04-10  6:57 Russell Coker
2020-04-14 14:52 ` Chris PeBenito [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=8a7a5e84-669c-f4d6-2758-c256150920b0@ieee.org \
    --to=pebenito@ieee.org \
    --cc=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/public-inbox.git