From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-5.4 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI, SIGNED_OFF_BY,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED,USER_AGENT_SANE_1 autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id A8BE7C2BA19 for ; Tue, 14 Apr 2020 15:06:40 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 7FB5820768 for ; Tue, 14 Apr 2020 15:06:40 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="e72wIpew" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S2407282AbgDNPGh (ORCPT ); Tue, 14 Apr 2020 11:06:37 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44140 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S2407186AbgDNPG0 (ORCPT ); Tue, 14 Apr 2020 11:06:26 -0400 Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com [IPv6:2607:f8b0:4864:20::f41]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63AA6C061A0C for ; Tue, 14 Apr 2020 08:06:26 -0700 (PDT) Received: by mail-qv1-xf41.google.com with SMTP id ef12so6319459qvb.11 for ; Tue, 14 Apr 2020 08:06:26 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=t4BeTVv6lfJgVb8MZpOLu02720TLJJQEN0f3p11LDSM=; b=e72wIpewhDZXfwd33Nqt46teKvsb04wFpdIUPIglRy9wf4yYQ+jvJPfz8ApnaGxK7u uZvqhzVzdWxNvJQuaAJhjlEveM9ZtUIGrCws+bQts/dN7u0rYUyJPsF16usSWVFIVY8S UVo3nBQG+fHK80idTVDHF49TjO9dLeD6N/o0M= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=t4BeTVv6lfJgVb8MZpOLu02720TLJJQEN0f3p11LDSM=; b=T3KLA21Jq6AcMOPKrMVFEc57cuNzBRSQFhXdGCHZXhUX4Sld0Z1jAFHlieT3DjngeJ k68ZK/D2kIfMz3sdiFveyQs0+S5qBoFfju7NuQiFsvetFPRBbALeCrTvmC4MD9Q/grgh eVa1BaWoraWAKx1R3gFiNpKLoMgMPt9u+Iarb/lxV6TT0QAKE63aIolZXA1LcNJ9SNdd XeWO059JKLybzBSddZV6lFI5R/+U3nDgL+4rGyRvV93akxQmzOh9xQ/DRsTyrTliWOb2 +BEXBwne3kAgdz07zdcoXFe9Mvzqhrm11nkNoeCfVVXH86DN63zlcK2ArHrtd1jYQqwf DKog== X-Gm-Message-State: AGi0PuangVKqFquTiyRiXPSajskHOA8OC0IjwH+kxeU/mo7IiIckr7G5 6BGr3zNLmYtFUv/sbtvpIpbjc0Xvhp0= X-Google-Smtp-Source: APiQypLHHp2EkrK1fYrw4QskpGkRn5tVnkydMoRaSW3bf5hXbQWTxYqp4DFeokjEpSXKxbDm+BNmFw== X-Received: by 2002:a0c:9e2f:: with SMTP id p47mr361379qve.211.1586876785023; Tue, 14 Apr 2020 08:06:25 -0700 (PDT) Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id j92sm5543398qtd.58.2020.04.14.08.06.24 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Tue, 14 Apr 2020 08:06:24 -0700 (PDT) Subject: Re: strict patch again with controversial sections removed To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20200410065749.GA113012@xev> From: Chris PeBenito Message-ID: <8a7a5e84-669c-f4d6-2758-c256150920b0@ieee.org> Date: Tue, 14 Apr 2020 10:52:29 -0400 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.6.0 MIME-Version: 1.0 In-Reply-To: <20200410065749.GA113012@xev> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 4/10/20 2:57 AM, Russell Coker wrote: > Signed-off-by: Russell Coker > > > Index: refpolicy-2.20200410/policy/modules/system/userdomain.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/userdomain.if > +++ refpolicy-2.20200410/policy/modules/system/userdomain.if > @@ -68,6 +68,8 @@ template(`userdom_base_user_template',` > dontaudit $1_t user_tty_device_t:chr_file ioctl; > > kernel_read_kernel_sysctls($1_t) > + kernel_read_crypto_sysctls($1_t) > + kernel_read_vm_overcommit_sysctl($1_t) > kernel_dontaudit_list_unlabeled($1_t) > kernel_dontaudit_getattr_unlabeled_files($1_t) > kernel_dontaudit_getattr_unlabeled_symlinks($1_t) > Index: refpolicy-2.20200410/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20200410/policy/modules/roles/sysadm.te > @@ -57,6 +57,9 @@ selinux_read_policy(sysadm_t) > userdom_manage_user_home_dirs(sysadm_t) > userdom_home_filetrans_user_home_dir(sysadm_t) > > +# for systemd-analyze > +files_get_etc_unit_status(sysadm_t) Should go up in the init_systemd block. > ifdef(`direct_sysadm_daemon',` > optional_policy(` > init_run_daemon(sysadm_t, sysadm_r) > @@ -1119,6 +1122,10 @@ optional_policy(` > ') > > optional_policy(` > + systemd_dbus_chat_logind(sysadm_t) > +') > + > +optional_policy(` > tboot_run_txtstat(sysadm_t, sysadm_r) > ') > > @@ -1186,6 +1193,7 @@ optional_policy(` > ') > > optional_policy(` > + dev_rw_generic_usb_dev(sysadm_t) > usbmodules_run(sysadm_t, sysadm_r) > ') > > Index: refpolicy-2.20200410/policy/modules/services/xserver.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if > +++ refpolicy-2.20200410/policy/modules/services/xserver.if > @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',` > xserver_xsession_entry_type($2) > xserver_dontaudit_write_log($2) > xserver_stream_connect_xdm($2) > + xserver_use_user_fonts($2) > # certain apps want to read xdm.pid file > xserver_read_xdm_pid($2) > # gnome-session creates socket under /tmp/.ICE-unix/ > @@ -140,7 +141,7 @@ interface(`xserver_role',` > gen_require(` > type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t; > type user_fonts_t, user_fonts_cache_t, user_fonts_config_t; > - type mesa_shader_cache_t; > + type mesa_shader_cache_t, xdm_t; > ') > > xserver_restricted_role($1, $2) > @@ -183,6 +184,8 @@ interface(`xserver_role',` > > xserver_read_xkb_libs($2) > > + allow $2 xdm_t:unix_stream_socket accept; > + > optional_policy(` > xdg_manage_all_cache($2) > xdg_relabel_all_cache($2) > @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',` > allow $1 xkb_var_lib_t:dir list_dir_perms; > read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t) > + allow $1 xkb_var_lib_t:file map; > ') > > ######################################## > Index: refpolicy-2.20200410/policy/modules/services/dbus.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/dbus.if > +++ refpolicy-2.20200410/policy/modules/services/dbus.if > @@ -84,6 +84,7 @@ template(`dbus_role_template',` > > allow $3 $1_dbusd_t:unix_stream_socket connectto; > allow $3 $1_dbusd_t:dbus { send_msg acquire_svc }; > + allow $1_dbusd_t $3:dbus send_msg; Should go down in the next huk with the sigkill line. > allow $3 $1_dbusd_t:fd use; > > allow $3 system_dbusd_t:dbus { send_msg acquire_svc }; > @@ -99,9 +100,13 @@ template(`dbus_role_template',` > > allow $1_dbusd_t $3:process sigkill; > > + allow $1_dbusd_t self:process getcap; > + > corecmd_bin_domtrans($1_dbusd_t, $3) > corecmd_shell_domtrans($1_dbusd_t, $3) > > + dev_read_sysfs($1_dbusd_t) > + > auth_use_nsswitch($1_dbusd_t) > > ifdef(`hide_broken_symptoms',` > @@ -109,8 +114,17 @@ template(`dbus_role_template',` > ') > > optional_policy(` > + init_dbus_chat($1_dbusd_t) > + dbus_system_bus_client($1_dbusd_t) > + ') > + > + optional_policy(` > systemd_read_logind_pids($1_dbusd_t) > ') > + > + optional_policy(` > + xdg_read_data_files($1_dbusd_t) > + ') > ') > > ####################################### > Index: refpolicy-2.20200410/policy/modules/services/ssh.if > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if > +++ refpolicy-2.20200410/policy/modules/services/ssh.if > @@ -437,6 +437,7 @@ template(`ssh_role_template',` > xserver_use_xdm_fds($1_ssh_agent_t) > xserver_rw_xdm_pipes($1_ssh_agent_t) > xserver_sigchld_xdm($1_ssh_agent_t) > + xserver_write_inherited_xsession_log($1_ssh_agent_t) > ') > ') > > Index: refpolicy-2.20200410/policy/modules/kernel/corecommands.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/kernel/corecommands.te > +++ refpolicy-2.20200410/policy/modules/kernel/corecommands.te > @@ -13,7 +13,7 @@ attribute exec_type; > # > # bin_t is the type of files in the system bin/sbin directories. > # > -type bin_t alias { ls_exec_t sbin_t }; > +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t }; > corecmd_executable_file(bin_t) > dev_associate(bin_t) #For /dev/MAKEDEV > > Index: refpolicy-2.20200410/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20200410/policy/modules/system/systemd.te > @@ -38,10 +38,6 @@ type systemd_activate_t; > type systemd_activate_exec_t; > init_system_domain(systemd_activate_t, systemd_activate_exec_t) > > -type systemd_analyze_t; > -type systemd_analyze_exec_t; > -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t) > - > type systemd_backlight_t; > type systemd_backlight_exec_t; > init_system_domain(systemd_backlight_t, systemd_backlight_exec_t) > @@ -1259,6 +1255,7 @@ tunable_policy(`systemd_tmpfiles_manage_ > ') > > optional_policy(` > + dbus_manage_lib_files(systemd_tmpfiles_t) > dbus_read_lib_files(systemd_tmpfiles_t) > dbus_relabel_lib_dirs(systemd_tmpfiles_t) > ') > Index: refpolicy-2.20200410/policy/modules/services/cron.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/services/cron.te > +++ refpolicy-2.20200410/policy/modules/services/cron.te > @@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t) > kernel_getattr_message_if(system_cronjob_t) > > kernel_read_crypto_sysctls(system_cronjob_t) > +kernel_read_fs_sysctls(system_cronjob_t) > kernel_read_irq_sysctls(system_cronjob_t) > kernel_read_kernel_sysctls(system_cronjob_t) > kernel_read_network_state(system_cronjob_t) > Index: refpolicy-2.20200410/policy/modules/apps/pulseaudio.te > =================================================================== > --- refpolicy-2.20200410.orig/policy/modules/apps/pulseaudio.te > +++ refpolicy-2.20200410/policy/modules/apps/pulseaudio.te > @@ -157,6 +157,7 @@ userdom_search_user_home_content(pulseau > userdom_manage_user_tmp_dirs(pulseaudio_t) > userdom_manage_user_tmp_files(pulseaudio_t) > userdom_manage_user_tmp_sockets(pulseaudio_t) > +userdom_write_all_user_runtime_named_sockets(pulseaudio_t) > > tunable_policy(`pulseaudio_execmem',` > allow pulseaudio_t self:process execmem; > -- Chris PeBenito