* [PATCH] last misc stuff
@ 2019-01-04 7:35 Russell Coker
2019-01-05 19:04 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Russell Coker @ 2019-01-04 7:35 UTC (permalink / raw)
To: selinux-refpolicy
More tiny patches. Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.
Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
/etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
-ifndef(`distro_redhat',`
+/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
/usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
/var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
logging_send_syslog_msg(backup_t)
+miscfiles_read_localization(backup_t)
+
sysnet_read_config(backup_t)
userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
fs_getattr_xattr_fs(logrotate_t)
fs_list_inotifyfs(logrotate_t)
fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
mls_file_read_all_levels(logrotate_t)
mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
#
allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow groupadd_t self:fd use;
allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
+ dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
dpkg_use_fds(groupadd_t)
dpkg_rw_pipes(groupadd_t)
')
@@ -269,6 +273,10 @@ optional_policy(`
rpm_rw_pipes(groupadd_t)
')
+optional_policy(`
+ unconfined_use_fds(groupadd_t)
+')
+
########################################
#
# Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
#
allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow useradd_t self:fd use;
allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
dpkg_use_fds(useradd_t)
dpkg_rw_pipes(useradd_t)
')
@@ -560,3 +572,7 @@ optional_policy(`
rpm_use_fds(useradd_t)
rpm_rw_pipes(useradd_t)
')
+
+optional_policy(`
+ unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
userdom_use_user_terminals(syncthing_t)
-optional_policy(`
- # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
- networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
/usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
/usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
/usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
/usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
allow local_login_t self:fd use;
allow local_login_t self:fifo_file rw_fifo_file_perms;
allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
miscfiles_read_localization(local_login_t)
+userdom_manage_all_users_keys(local_login_t)
userdom_spec_domtrans_all_users(local_login_t)
userdom_signal_all_users(local_login_t)
userdom_search_user_home_content(local_login_t)
Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)
fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
allow dhcpc_t dhcp_state_t:file read_file_perms;
manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
# create pid file
manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
logging_send_syslog_msg(ifconfig_t)
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
miscfiles_read_localization(ifconfig_t)
seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180701/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
@@ -306,10 +306,6 @@ optional_policy(`
')
optional_policy(`
- lvm_domtrans(udev_t)
-')
-
-optional_policy(`
fstools_domtrans(udev_t)
')
@@ -328,6 +324,10 @@ optional_policy(`
')
optional_policy(`
+ iptables_domtrans(udev_t)
+')
+
+optional_policy(`
lvm_domtrans(udev_t)
')
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] last misc stuff
2019-01-04 7:35 [PATCH] last misc stuff Russell Coker
@ 2019-01-05 19:04 ` Chris PeBenito
2019-01-06 2:22 ` Russell Coker
0 siblings, 1 reply; 5+ messages in thread
From: Chris PeBenito @ 2019-01-05 19:04 UTC (permalink / raw)
To: Russell Coker, selinux-refpolicy
On 1/4/19 2:35 AM, Russell Coker wrote:
> More tiny patches. Note that this and the other 2 patches I just sent are not
> dependent on each other, please apply any that you like.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
> @@ -1,9 +1,12 @@
> /etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> -ifndef(`distro_redhat',`
> +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +
> +ifndef(`distro_redhat',`
> +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0)
> /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0)
I modified some of these changes, as it results in file context
conflicts with the RPM module. More accurately, I removed the fc
entries in RPM that label the apt executables. I moved the apt-shell
back out of the ifndef block.
I think the synaptic and packagekit fc entries, which are in both apt
and rpm modules, may need to be dropped and move to the distro's
patches. Either that, or this ifndef needs to turn into ifdef debian
(or something else).
Otherwise merged.
> Index: refpolicy-2.20180701/policy/modules/admin/backup.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
> +++ refpolicy-2.20180701/policy/modules/admin/backup.te
> @@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
>
> logging_send_syslog_msg(backup_t)
>
> +miscfiles_read_localization(backup_t)
> +
> sysnet_read_config(backup_t)
>
> userdom_use_user_terminals(backup_t)
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
> @@ -317,6 +317,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + init_dbus_chat(dpkg_script_t)
> +')
> +
> +optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
> fs_getattr_xattr_fs(logrotate_t)
> fs_list_inotifyfs(logrotate_t)
> fs_getattr_tmpfs(logrotate_t)
> +# killall reads nsfs files
> +fs_read_nsfs_files(logrotate_t)
>
> mls_file_read_all_levels(logrotate_t)
> mls_file_write_all_levels(logrotate_t)
> Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
> @@ -189,7 +189,7 @@ optional_policy(`
> #
>
> allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
> -dontaudit groupadd_t self:capability { fsetid sys_tty_config };
> +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
> allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow groupadd_t self:fd use;
> allow groupadd_t self:fifo_file rw_fifo_file_perms;
> @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
> userdom_dontaudit_search_user_home_dirs(groupadd_t)
>
> optional_policy(`
> + dbus_system_bus_client(groupadd_t)
> +')
> +
> +optional_policy(`
> dpkg_use_fds(groupadd_t)
> dpkg_rw_pipes(groupadd_t)
> ')
> @@ -269,6 +273,10 @@ optional_policy(`
> rpm_rw_pipes(groupadd_t)
> ')
>
> +optional_policy(`
> + unconfined_use_fds(groupadd_t)
> +')
> +
> ########################################
> #
> # Passwd local policy
> @@ -446,7 +454,7 @@ optional_policy(`
> #
>
> allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
> -dontaudit useradd_t self:capability sys_tty_config;
> +dontaudit useradd_t self:capability { net_admin sys_tty_config };
> allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow useradd_t self:fd use;
> allow useradd_t self:fifo_file rw_fifo_file_perms;
> @@ -538,6 +546,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_system_bus_client(useradd_t)
> +')
> +
> +optional_policy(`
> dpkg_use_fds(useradd_t)
> dpkg_rw_pipes(useradd_t)
> ')
> @@ -560,3 +572,7 @@ optional_policy(`
> rpm_use_fds(useradd_t)
> rpm_rw_pipes(useradd_t)
> ')
> +
> +optional_policy(`
> + unconfined_use_fds(useradd_t)
> +')
> Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
> +++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
> @@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
>
> userdom_use_user_terminals(syncthing_t)
>
> -optional_policy(`
> - # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
> - networkmanager_read_pid_files(syncthing_t)
> -')
> Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> @@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0)
> @@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
> /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0)
> /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0)
> @@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
> /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0)
> /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0)
> /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20180701/policy/modules/system/locallogin.te
> @@ -34,7 +34,7 @@ role system_r types sulogin_t;
>
> allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
> dontaudit local_login_t self:capability net_admin;
> -allow local_login_t self:process { setexec setrlimit setsched };
> +allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
> allow local_login_t self:fd use;
> allow local_login_t self:fifo_file rw_fifo_file_perms;
> allow local_login_t self:sock_file read_sock_file_perms;
> @@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
>
> miscfiles_read_localization(local_login_t)
>
> +userdom_manage_all_users_keys(local_login_t)
> userdom_spec_domtrans_all_users(local_login_t)
> userdom_signal_all_users(local_login_t)
> userdom_search_user_home_content(local_login_t)
> Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
> files_dontaudit_read_all_symlinks(setfiles_t)
>
> fs_getattr_all_xattr_fs(setfiles_t)
> +fs_getattr_cgroup(setfiles_t)
> fs_getattr_nfs(setfiles_t)
> fs_getattr_pstore_dirs(setfiles_t)
> fs_getattr_pstorefs(setfiles_t)
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
> allow dhcpc_t dhcp_state_t:file read_file_perms;
> manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
> filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
> +allow dhcpc_t dhcpc_state_t:file map;
>
> # create pid file
> manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
> @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
>
> logging_send_syslog_msg(ifconfig_t)
>
> +# dhclient reads /etc/ssl
> +miscfiles_read_generic_certs(dhcpc_t)
> miscfiles_read_localization(ifconfig_t)
>
> seutil_use_runinit_fds(ifconfig_t)
> Index: refpolicy-2.20180701/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20180701/policy/modules/system/udev.te
> @@ -306,10 +306,6 @@ optional_policy(`
> ')
>
> optional_policy(`
> - lvm_domtrans(udev_t)
> -')
> -
> -optional_policy(`
> fstools_domtrans(udev_t)
> ')
>
> @@ -328,6 +324,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + iptables_domtrans(udev_t)
> +')
> +
> +optional_policy(`
> lvm_domtrans(udev_t)
> ')
>
>
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] last misc stuff
2019-01-05 19:04 ` Chris PeBenito
@ 2019-01-06 2:22 ` Russell Coker
2019-01-06 7:38 ` Dominick Grift
0 siblings, 1 reply; 5+ messages in thread
From: Russell Coker @ 2019-01-06 2:22 UTC (permalink / raw)
To: Chris PeBenito; +Cc: selinux-refpolicy
On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
> > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
> > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
> > @@ -1,9 +1,12 @@
> > /etc/cron\.daily/apt --
> > gen_context(system_u:object_r:apt_exec_t,s0)
> >
> > -ifndef(`distro_redhat',`
> > +/usr/bin/apt --
> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
> > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
> > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
> > -- gen_context(system_u:object_r:apt_exec_t,s0)
> > +/usr/sbin/update-apt-xapian-index --
> > gen_context(system_u:object_r:apt_exec_t,s0) +
> > +ifndef(`distro_redhat',`
> > +/usr/bin/apt-shell --
> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
> > gen_context(system_u:object_r:apt_exec_t,s0)
> > /usr/lib/packagekit/packagekitd --
> > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
> > gen_context(system_u:object_r:apt_var_cache_t,s0)
> I modified some of these changes, as it results in file context
> conflicts with the RPM module. More accurately, I removed the fc
> entries in RPM that label the apt executables. I moved the apt-shell
> back out of the ifndef block.
>
> I think the synaptic and packagekit fc entries, which are in both apt
> and rpm modules, may need to be dropped and move to the distro's
> patches. Either that, or this ifndef needs to turn into ifdef debian
> (or something else).
>
> Otherwise merged.
I agree that things should be reconsidered with apt policy.
Do we even need separate apt and rpm policy given that both package managers
have access to write everything and change config files?
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] last misc stuff
2019-01-06 2:22 ` Russell Coker
@ 2019-01-06 7:38 ` Dominick Grift
2019-01-06 18:22 ` Chris PeBenito
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2019-01-06 7:38 UTC (permalink / raw)
To: Russell Coker; +Cc: Chris PeBenito, selinux-refpolicy
Russell Coker <russell@coker.com.au> writes:
> On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
>> > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
>> > ===================================================================
>> > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
>> > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
>> > @@ -1,9 +1,12 @@
>> > /etc/cron\.daily/apt --
>> > gen_context(system_u:object_r:apt_exec_t,s0)
>> >
>> > -ifndef(`distro_redhat',`
>> > +/usr/bin/apt --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
>> > gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
>> > -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
>> > -- gen_context(system_u:object_r:apt_exec_t,s0)
>> > +/usr/sbin/update-apt-xapian-index --
>> > gen_context(system_u:object_r:apt_exec_t,s0) +
>> > +ifndef(`distro_redhat',`
>> > +/usr/bin/apt-shell --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
>> > gen_context(system_u:object_r:apt_exec_t,s0)
>> > /usr/lib/packagekit/packagekitd --
>> > gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
>> > gen_context(system_u:object_r:apt_var_cache_t,s0)
>> I modified some of these changes, as it results in file context
>> conflicts with the RPM module. More accurately, I removed the fc
>> entries in RPM that label the apt executables. I moved the apt-shell
>> back out of the ifndef block.
>>
>> I think the synaptic and packagekit fc entries, which are in both apt
>> and rpm modules, may need to be dropped and move to the distro's
>> patches. Either that, or this ifndef needs to turn into ifdef debian
>> (or something else).
>>
>> Otherwise merged.
>
> I agree that things should be reconsidered with apt policy.
>
> Do we even need separate apt and rpm policy given that both package managers
> have access to write everything and change config files?
AFAIK, apt can probably just be part of the rpm domain. Heck even dpkg
can be. The only thing , i think, that in that case should be taken care of
is to make a typealias rpm_script_t dpkg_script_t because dpkg has
selinux awareness and wants to manually transition to dpkg_script_t to
execute the scriptlets
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [PATCH] last misc stuff
2019-01-06 7:38 ` Dominick Grift
@ 2019-01-06 18:22 ` Chris PeBenito
0 siblings, 0 replies; 5+ messages in thread
From: Chris PeBenito @ 2019-01-06 18:22 UTC (permalink / raw)
To: Dominick Grift, Russell Coker; +Cc: selinux-refpolicy
On 1/6/19 2:38 AM, Dominick Grift wrote:
> Russell Coker <russell@coker.com.au> writes:
>
>> On Sunday, 6 January 2019 6:04:14 AM AEDT Chris PeBenito wrote:
>>>> Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
>>>> ===================================================================
>>>> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
>>>> +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
>>>> @@ -1,9 +1,12 @@
>>>> /etc/cron\.daily/apt --
>>>> gen_context(system_u:object_r:apt_exec_t,s0)
>>>>
>>>> -ifndef(`distro_redhat',`
>>>> +/usr/bin/apt --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/apt-get --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) -/usr/bin/apt-shell
>>>> -- gen_context(system_u:object_r:apt_exec_t,s0) /usr/bin/aptitude
>>>> -- gen_context(system_u:object_r:apt_exec_t,s0)
>>>> +/usr/sbin/update-apt-xapian-index --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) +
>>>> +ifndef(`distro_redhat',`
>>>> +/usr/bin/apt-shell --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /usr/sbin/synaptic --
>>>> gen_context(system_u:object_r:apt_exec_t,s0)
>>>> /usr/lib/packagekit/packagekitd --
>>>> gen_context(system_u:object_r:apt_exec_t,s0) /var/cache/PackageKit(/.*)?
>>>> gen_context(system_u:object_r:apt_var_cache_t,s0)
>>> I modified some of these changes, as it results in file context
>>> conflicts with the RPM module. More accurately, I removed the fc
>>> entries in RPM that label the apt executables. I moved the apt-shell
>>> back out of the ifndef block.
>>>
>>> I think the synaptic and packagekit fc entries, which are in both apt
>>> and rpm modules, may need to be dropped and move to the distro's
>>> patches. Either that, or this ifndef needs to turn into ifdef debian
>>> (or something else).
>>>
>>> Otherwise merged.
>>
>> I agree that things should be reconsidered with apt policy.
>>
>> Do we even need separate apt and rpm policy given that both package managers
>> have access to write everything and change config files?
>
> AFAIK, apt can probably just be part of the rpm domain. Heck even dpkg
> can be. The only thing , i think, that in that case should be taken care of
> is to make a typealias rpm_script_t dpkg_script_t because dpkg has
> selinux awareness and wants to manually transition to dpkg_script_t to
> execute the scriptlets
I'd be open to merge the two modules, if they're similar enough. I'd be
nice to compare the two modules more deeply; unfortunately one feature I
haven't reimplemented from setools3 was the type relationship analysis,
which would be perfect for this.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2019-01-06 19:14 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04 7:35 [PATCH] last misc stuff Russell Coker
2019-01-05 19:04 ` Chris PeBenito
2019-01-06 2:22 ` Russell Coker
2019-01-06 7:38 ` Dominick Grift
2019-01-06 18:22 ` Chris PeBenito
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).