From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.6 required=3.0 tests=DKIMWL_WL_HIGH,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,LONGWORDS, MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 18BB2C43387 for ; Sat, 5 Jan 2019 19:39:28 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id D7CD9222FE for ; Sat, 5 Jan 2019 19:39:27 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=ieee.org header.i=@ieee.org header.b="AcL4rtB4" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726278AbfAETj1 (ORCPT ); Sat, 5 Jan 2019 14:39:27 -0500 Received: from mail-qk1-f172.google.com ([209.85.222.172]:43391 "EHLO mail-qk1-f172.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726262AbfAETj1 (ORCPT ); Sat, 5 Jan 2019 14:39:27 -0500 Received: by mail-qk1-f172.google.com with SMTP id z18so7386461qkj.10 for ; Sat, 05 Jan 2019 11:39:26 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=subject:to:references:from:message-id:date:user-agent:mime-version :in-reply-to:content-language:content-transfer-encoding; bh=wEU4vTzyEVNI4N45MhaZrQh3E5vUrFoHIXKjI+ttQTA=; b=AcL4rtB4gmcIhW2KaatuGY3GsYucfz1OQ7kwchFLSsiH9QUJR4JNYaDv9jwXmD9/Fw UYmZ7bxJ2loEY5fs8O5NJSPq8Mxc3wam13JepblIRI0vRLYyhoCvczhmLEtktRcZfSQH DmjJdjuT4X+0fnA4Z/GwBljqkJ/TodluKFDvc= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:subject:to:references:from:message-id:date :user-agent:mime-version:in-reply-to:content-language :content-transfer-encoding; bh=wEU4vTzyEVNI4N45MhaZrQh3E5vUrFoHIXKjI+ttQTA=; b=clJPDjU1bsFQ+L+0euk1lm9QCl3aNSi1+3R6zrgtQMqQqjFwWgA66W4ttIKdi+rg7Z AeS8t68RFbpiBTCaie6RjX6z8vx1B37t2+KBFt4gAA7WU61kvc3Ehno/kCQBIq8vNBfg 7wAUnsQR3SJobYe4lf8P8QRp+XiNBaXBsb5+h38o5clLf0BL43rXaMCtNYI+/puGiDTh r9HAjU4R8zdTiUDX2UkmQE97ul45y0smt4p+pXyFi7Td8K128wK0FDNM4cYKq1gGV3dN 8/l+rozc7+KRvZcWiNpsjj4mI8rQuntYqkfsrlhFhJI09lD+REs3fUzimnvzgskVBiDL cQqg== X-Gm-Message-State: AJcUukeoPF9acpl8zPhYDkt8uG+kxYgmzvDkwpQ8kOSC5IvtTaTdzoLm HOvlAwp0PBFJFRXl2PZjcUIO6+3ihhU= X-Google-Smtp-Source: ALg8bN6OnTsc9UGZdJdZmCrG4U8tmdFl2Zd2Qgxl3GQ4lgX3HQJ0GMTujyThN2YPPxGkxT7ZmD3T6g== X-Received: by 2002:a37:9b41:: with SMTP id d62mr51487213qke.215.1546717165792; Sat, 05 Jan 2019 11:39:25 -0800 (PST) Received: from [192.168.1.190] (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247]) by smtp.gmail.com with ESMTPSA id e29sm2610709qtc.74.2019.01.05.11.39.25 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Sat, 05 Jan 2019 11:39:25 -0800 (PST) Subject: Re: [PATCH] last misc stuff To: Russell Coker , selinux-refpolicy@vger.kernel.org References: <20190104073503.GC11256@aaa.coker.com.au> From: Chris PeBenito Message-ID: Date: Sat, 5 Jan 2019 14:04:14 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Thunderbird/60.3.0 MIME-Version: 1.0 In-Reply-To: <20190104073503.GC11256@aaa.coker.com.au> Content-Type: text/plain; charset=utf-8; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/4/19 2:35 AM, Russell Coker wrote: > More tiny patches. Note that this and the other 2 patches I just sent are not > dependent on each other, please apply any that you like. > > Index: refpolicy-2.20180701/policy/modules/admin/apt.fc > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc > +++ refpolicy-2.20180701/policy/modules/admin/apt.fc > @@ -1,9 +1,12 @@ > /etc/cron\.daily/apt -- gen_context(system_u:object_r:apt_exec_t,s0) > > -ifndef(`distro_redhat',` > +/usr/bin/apt -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/bin/apt-get -- gen_context(system_u:object_r:apt_exec_t,s0) > -/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0) > +/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0) > + > +ifndef(`distro_redhat',` > +/usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0) > /usr/lib/packagekit/packagekitd -- gen_context(system_u:object_r:apt_exec_t,s0) > /var/cache/PackageKit(/.*)? gen_context(system_u:object_r:apt_var_cache_t,s0) I modified some of these changes, as it results in file context conflicts with the RPM module. More accurately, I removed the fc entries in RPM that label the apt executables. I moved the apt-shell back out of the ifndef block. I think the synaptic and packagekit fc entries, which are in both apt and rpm modules, may need to be dropped and move to the distro's patches. Either that, or this ifndef needs to turn into ifdef debian (or something else). Otherwise merged. > Index: refpolicy-2.20180701/policy/modules/admin/backup.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/backup.te > +++ refpolicy-2.20180701/policy/modules/admin/backup.te > @@ -65,6 +65,8 @@ auth_read_shadow(backup_t) > > logging_send_syslog_msg(backup_t) > > +miscfiles_read_localization(backup_t) > + > sysnet_read_config(backup_t) > > userdom_use_user_terminals(backup_t) > Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te > +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te > @@ -317,6 +317,10 @@ optional_policy(` > ') > > optional_policy(` > + init_dbus_chat(dpkg_script_t) > +') > + > +optional_policy(` > modutils_run(dpkg_script_t, dpkg_roles) > ') > > Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te > +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te > @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t) > fs_getattr_xattr_fs(logrotate_t) > fs_list_inotifyfs(logrotate_t) > fs_getattr_tmpfs(logrotate_t) > +# killall reads nsfs files > +fs_read_nsfs_files(logrotate_t) > > mls_file_read_all_levels(logrotate_t) > mls_file_write_all_levels(logrotate_t) > Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te > +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te > @@ -189,7 +189,7 @@ optional_policy(` > # > > allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource }; > -dontaudit groupadd_t self:capability { fsetid sys_tty_config }; > +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config }; > allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; > allow groupadd_t self:fd use; > allow groupadd_t self:fifo_file rw_fifo_file_perms; > @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t) > userdom_dontaudit_search_user_home_dirs(groupadd_t) > > optional_policy(` > + dbus_system_bus_client(groupadd_t) > +') > + > +optional_policy(` > dpkg_use_fds(groupadd_t) > dpkg_rw_pipes(groupadd_t) > ') > @@ -269,6 +273,10 @@ optional_policy(` > rpm_rw_pipes(groupadd_t) > ') > > +optional_policy(` > + unconfined_use_fds(groupadd_t) > +') > + > ######################################## > # > # Passwd local policy > @@ -446,7 +454,7 @@ optional_policy(` > # > > allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource }; > -dontaudit useradd_t self:capability sys_tty_config; > +dontaudit useradd_t self:capability { net_admin sys_tty_config }; > allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit }; > allow useradd_t self:fd use; > allow useradd_t self:fifo_file rw_fifo_file_perms; > @@ -538,6 +546,10 @@ optional_policy(` > ') > > optional_policy(` > + dbus_system_bus_client(useradd_t) > +') > + > +optional_policy(` > dpkg_use_fds(useradd_t) > dpkg_rw_pipes(useradd_t) > ') > @@ -560,3 +572,7 @@ optional_policy(` > rpm_use_fds(useradd_t) > rpm_rw_pipes(useradd_t) > ') > + > +optional_policy(` > + unconfined_use_fds(useradd_t) > +') > Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te > +++ refpolicy-2.20180701/policy/modules/apps/syncthing.te > @@ -63,7 +63,3 @@ userdom_user_content_access_template(syn > > userdom_use_user_terminals(syncthing_t) > > -optional_policy(` > - # temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve() > - networkmanager_read_pid_files(syncthing_t) > -') > Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc > @@ -181,6 +181,7 @@ ifdef(`distro_gentoo',` > /usr/lib/ConsoleKit/run-session.d(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/ConsoleKit/scripts(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/courier(/.*)? gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/crda/setregdomain -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/cups(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/lib/cyrus/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/cyrus-imapd/.* -- gen_context(system_u:object_r:bin_t,s0) > @@ -215,6 +216,7 @@ ifdef(`distro_gentoo',` > /usr/lib/rpm/rpmk -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/rpm/rpmq -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/rpm/rpmv -- gen_context(system_u:object_r:bin_t,s0) > +/usr/lib/rsyslog/rsyslog-rotate -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/selinux/hll/pp -- gen_context(system_u:object_r:bin_t,s0) > /usr/lib/sftp-server -- gen_context(system_u:object_r:bin_t,s0) > @@ -319,6 +321,7 @@ ifdef(`distro_gentoo',` > /usr/share/sandbox/sandboxX.sh -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/sectool/.*\.py -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0) > +/usr/share/smartmontools/.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/smolt/client(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/share/shorewall/compiler\.pl -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/shorewall/configpath -- gen_context(system_u:object_r:bin_t,s0) > Index: refpolicy-2.20180701/policy/modules/system/locallogin.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te > +++ refpolicy-2.20180701/policy/modules/system/locallogin.te > @@ -34,7 +34,7 @@ role system_r types sulogin_t; > > allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config }; > dontaudit local_login_t self:capability net_admin; > -allow local_login_t self:process { setexec setrlimit setsched }; > +allow local_login_t self:process { getcap setcap setexec setrlimit setsched }; > allow local_login_t self:fd use; > allow local_login_t self:fifo_file rw_fifo_file_perms; > allow local_login_t self:sock_file read_sock_file_perms; > @@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t) > > miscfiles_read_localization(local_login_t) > > +userdom_manage_all_users_keys(local_login_t) > userdom_spec_domtrans_all_users(local_login_t) > userdom_signal_all_users(local_login_t) > userdom_search_user_home_content(local_login_t) > Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te > @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t) > files_dontaudit_read_all_symlinks(setfiles_t) > > fs_getattr_all_xattr_fs(setfiles_t) > +fs_getattr_cgroup(setfiles_t) > fs_getattr_nfs(setfiles_t) > fs_getattr_pstore_dirs(setfiles_t) > fs_getattr_pstorefs(setfiles_t) > Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te > @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t, > allow dhcpc_t dhcp_state_t:file read_file_perms; > manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t) > filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file) > +allow dhcpc_t dhcpc_state_t:file map; > > # create pid file > manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t) > @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t) > > logging_send_syslog_msg(ifconfig_t) > > +# dhclient reads /etc/ssl > +miscfiles_read_generic_certs(dhcpc_t) > miscfiles_read_localization(ifconfig_t) > > seutil_use_runinit_fds(ifconfig_t) > Index: refpolicy-2.20180701/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20180701.orig/policy/modules/system/udev.te > +++ refpolicy-2.20180701/policy/modules/system/udev.te > @@ -306,10 +306,6 @@ optional_policy(` > ') > > optional_policy(` > - lvm_domtrans(udev_t) > -') > - > -optional_policy(` > fstools_domtrans(udev_t) > ') > > @@ -328,6 +324,10 @@ optional_policy(` > ') > > optional_policy(` > + iptables_domtrans(udev_t) > +') > + > +optional_policy(` > lvm_domtrans(udev_t) > ') > > -- Chris PeBenito