From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] latest memlockd patch
Date: Mon, 25 Jan 2021 09:46:59 -0500 [thread overview]
Message-ID: <ac22645b-76e8-61ad-534b-e5170da7196b@ieee.org> (raw)
In-Reply-To: <YAgDLZznabfyzIaJ@xev>
On 1/20/21 5:17 AM, Russell Coker wrote:
> Includes the ifndef(`distro_debian' section that was requested. Should be
> ready for merging now.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20201205/policy/modules/services/memlockd.fc
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20201205/policy/modules/services/memlockd.fc
> @@ -0,0 +1 @@
> +/usr/sbin/memlockd -- gen_context(system_u:object_r:memlockd_exec_t,s0)
> Index: refpolicy-2.20201205/policy/modules/services/memlockd.if
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20201205/policy/modules/services/memlockd.if
> @@ -0,0 +1,2 @@
> +## <summary>memory lock daemon, keeps important files in RAM.</summary>
> +
> Index: refpolicy-2.20201205/policy/modules/services/memlockd.te
> ===================================================================
> --- /dev/null
> +++ refpolicy-2.20201205/policy/modules/services/memlockd.te
> @@ -0,0 +1,39 @@
> +policy_module(memlockd, 1.0.0)
> +
> +########################################
> +#
> +# Declarations
> +#
> +
> +type memlockd_t;
> +type memlockd_exec_t;
> +init_daemon_domain(memlockd_t, memlockd_exec_t)
> +
> +########################################
> +#
> +# Local policy
> +#
> +
> +allow memlockd_t self:capability { setgid setuid ipc_lock };
> +ifndef(`distro_debian', `
> +allow memlockd_t self:capability dac_read_search;
> +')
> +allow memlockd_t self:fifo_file rw_file_perms;
> +
> +# cache /etc/shadow too
> +auth_read_shadow(memlockd_t)
> +auth_map_shadow(memlockd_t)
> +
> +corecmd_exec_all_executables(memlockd_t)
> +corecmd_exec_bin(memlockd_t)
> +corecmd_exec_shell(memlockd_t)
> +corecmd_read_all_executables(memlockd_t)
> +corecmd_search_bin(memlockd_t)
> +files_read_etc_files(memlockd_t)
> +libs_exec_ld_so(memlockd_t)
> +files_map_etc_files(memlockd_t)
> +
> +logging_send_syslog_msg(memlockd_t)
> +miscfiles_read_localization(memlockd_t)
> +
> +sysnet_mmap_read_config(memlockd_t)
> Index: refpolicy-2.20201205/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20201205.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20201205/policy/modules/system/sysnetwork.if
> @@ -393,6 +393,31 @@ interface(`sysnet_mmap_config_files',`
>
> #######################################
> ## <summary>
> +## map network config files.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to mmap the
> +## general network configuration files.
> +## </p>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_mmap_read_config',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + files_search_etc($1)
> + allow $1 net_conf_t:file mmap_read_file_perms;
> +')
> +
> +#######################################
> +## <summary>
> ## Do not audit attempts to read network config files.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20201205/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20201205.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20201205/policy/modules/system/authlogin.if
> @@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
>
> ########################################
> ## <summary>
> +## Map the shadow passwords file (/etc/shadow)
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`auth_map_shadow',`
> + gen_require(`
> + type shadow_t;
> + ')
> + allow $1 shadow_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Pass shadow assertion for reading.
> ## </summary>
> ## <desc>
Merged.
--
Chris PeBenito
prev parent reply other threads:[~2021-01-25 14:49 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 10:17 [PATCH] latest memlockd patch Russell Coker
2021-01-25 14:46 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ac22645b-76e8-61ad-534b-e5170da7196b@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).