[PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Russell Coker]

Lots of little things that are self-explanatory.

Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.

Remove obsolete policy from syncthing as we have it in
sysnet_dns_name_resolve().

Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
 
 logging_send_syslog_msg(backup_t)
 
+miscfiles_read_localization(backup_t)
+
 sysnet_read_config(backup_t)
 
 userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -169,7 +173,7 @@ optional_policy(`
 #
 
 allow boinc_project_t self:capability { setgid setuid };
-allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
+allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };
 
 manage_dirs_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
 manage_files_pattern(boinc_project_t, boinc_project_tmp_t, boinc_project_tmp_t)
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
 userdom_getattr_user_ttys(boinc_t)
 
 optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_t)
+	apt_read_db(boinc_t)
+	dpkg_exec(boinc_t)
+	dpkg_read_db(boinc_t)
+
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
 	java_exec(boinc_project_t)
 ')
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
+miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
 
 userdom_use_user_terminals(syncthing_t)
 
-optional_policy(`
-	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-	networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20180701/policy/modules/system/authlogin.if
@@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
 
 #######################################
 ## <summary>
+##	relabel the last logins log.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_relabel_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	logging_search_logs($1)
+	allow $1 lastlog_t:file { relabelfrom relabelto };
+')
+
+#######################################
+## <summary>
 ##	Read and write to the last logins log.
 ## </summary>
 ## <param name="domain">
@@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
 ')
 
 ########################################
+## <summary>
+##     Manage the last logins log.
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`auth_manage_lastlog',`
+	gen_require(`
+		type lastlog_t;
+	')
+
+	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
+	logging_rw_generic_log_dirs($1)
+')
+
+########################################
 ## <summary>
 ##	Execute pam programs in the pam domain.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+userdom_manage_all_users_keys(local_login_t)
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
 userdom_search_user_home_content(local_login_t)

Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Chris PeBenito]

On 1/2/19 3:40 AM, Russell Coker wrote:
> Lots of little things that are self-explanatory.
> 
> Boinc has some unusual stuff for lsb_release -a and for mmaping ld.so.cache.
> 
> Remove obsolete policy from syncthing as we have it in
> sysnet_dns_name_resolve().
> 

[...]
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
[...]

> @@ -169,7 +173,7 @@ optional_policy(`
>   #
>   
>   allow boinc_project_t self:capability { setgid setuid };
> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal_perms };
> +allow boinc_project_t self:process { execmem execstack noatsecure ptrace setcap getcap setpgid setsched signal signal_perms };

This change shouldn't be necessary since signal is already in signal_perms.

[...]

> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>   
>   #######################################
>   ## <summary>
> +##	relabel the last logins log.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`auth_relabel_lastlog',`
> +	gen_require(`
> +		type lastlog_t;
> +	')
> +
> +	logging_search_logs($1)
> +	allow $1 lastlog_t:file { relabelfrom relabelto };
> +')
> +
> +#######################################
> +## <summary>
>   ##	Read and write to the last logins log.
>   ## </summary>
>   ## <param name="domain">
> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>   ')
>   
>   ########################################
> +## <summary>
> +##     Manage the last logins log.
> +## </summary>
> +## <param name="domain">
> +##     <summary>
> +##     Domain allowed access.
> +##     </summary>
> +## </param>
> +#
> +interface(`auth_manage_lastlog',`
> +	gen_require(`
> +		type lastlog_t;
> +	')
> +
> +	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };

The relabel perms shouldn't be in here.  I'd say split it into a new 
interface, but you're adding the other interface earlier in the patch.




-- 
Chris PeBenito

Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Russell Coker]

Would you like me to resubmit those patches or would you rather just add them 
with the changes you suggest?

On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
> On 1/2/19 3:40 AM, Russell Coker wrote:
> > Lots of little things that are self-explanatory.
> > 
> > Boinc has some unusual stuff for lsb_release -a and for mmaping
> > ld.so.cache.
> > 
> > Remove obsolete policy from syncthing as we have it in
> > sysnet_dns_name_resolve().
> 
> [...]
> 
> > Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> > +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> 
> [...]
> 
> > @@ -169,7 +173,7 @@ optional_policy(`
> > 
> >   #
> >   
> >   allow boinc_project_t self:capability { setgid setuid };
> > 
> > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
> > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
> > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
> > setsched signal signal_perms };
> This change shouldn't be necessary since signal is already in signal_perms.
> 
> [...]
> 
> > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
> > 
> >   #######################################
> >   ## <summary>
> > 
> > +##	relabel the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain allowed access.
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`auth_relabel_lastlog',`
> > +	gen_require(`
> > +		type lastlog_t;
> > +	')
> > +
> > +	logging_search_logs($1)
> > +	allow $1 lastlog_t:file { relabelfrom relabelto };
> > +')
> > +
> > +#######################################
> > +## <summary>
> > 
> >   ##	Read and write to the last logins log.
> >   ## </summary>
> >   ## <param name="domain">
> > 
> > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> > 
> >   ')
> >   
> >   ########################################
> > 
> > +## <summary>
> > +##     Manage the last logins log.
> > +## </summary>
> > +## <param name="domain">
> > +##     <summary>
> > +##     Domain allowed access.
> > +##     </summary>
> > +## </param>
> > +#
> > +interface(`auth_manage_lastlog',`
> > +	gen_require(`
> > +		type lastlog_t;
> > +	')
> > +
> > +	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
> 
> The relabel perms shouldn't be in here.  I'd say split it into a new
> interface, but you're adding the other interface earlier in the patch.


-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Chris PeBenito]

On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?

My preference in this case would be resubmit.


> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
>> On 1/2/19 3:40 AM, Russell Coker wrote:
>>> Lots of little things that are self-explanatory.
>>>
>>> Boinc has some unusual stuff for lsb_release -a and for mmaping
>>> ld.so.cache.
>>>
>>> Remove obsolete policy from syncthing as we have it in
>>> sysnet_dns_name_resolve().
>>
>> [...]
>>
>>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
>>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>>
>> [...]
>>
>>> @@ -169,7 +173,7 @@ optional_policy(`
>>>
>>>    #
>>>    
>>>    allow boinc_project_t self:capability { setgid setuid };
>>>
>>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
>>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
>>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
>>> setsched signal signal_perms };
>> This change shouldn't be necessary since signal is already in signal_perms.
>>
>> [...]
>>
>>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
>>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
>>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>>>
>>>    #######################################
>>>    ## <summary>
>>>
>>> +##	relabel the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_relabel_lastlog',`
>>> +	gen_require(`
>>> +		type lastlog_t;
>>> +	')
>>> +
>>> +	logging_search_logs($1)
>>> +	allow $1 lastlog_t:file { relabelfrom relabelto };
>>> +')
>>> +
>>> +#######################################
>>> +## <summary>
>>>
>>>    ##	Read and write to the last logins log.
>>>    ## </summary>
>>>    ## <param name="domain">
>>>
>>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>>>
>>>    ')
>>>    
>>>    ########################################
>>>
>>> +## <summary>
>>> +##     Manage the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##     <summary>
>>> +##     Domain allowed access.
>>> +##     </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_manage_lastlog',`
>>> +	gen_require(`
>>> +		type lastlog_t;
>>> +	')
>>> +
>>> +	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>>
>> The relabel perms shouldn't be in here.  I'd say split it into a new
>> interface, but you're adding the other interface earlier in the patch.
> 
> 


-- 
Chris PeBenito