Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

From: Chris PeBenito <pebenito@ieee.org>
To: russell@coker.com.au
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login
Date: Thu, 3 Jan 2019 17:34:51 -0500	[thread overview]
Message-ID: <bd820fb1-f98d-3ade-3be0-eb76e5a7c431@ieee.org> (raw)
In-Reply-To: <1772308.Oo6GzzOkXA@xev>

On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?

My preference in this case would be resubmit.

> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
>> On 1/2/19 3:40 AM, Russell Coker wrote:
>>> Lots of little things that are self-explanatory.
>>>
>>> Boinc has some unusual stuff for lsb_release -a and for mmaping
>>> ld.so.cache.
>>>
>>> Remove obsolete policy from syncthing as we have it in
>>> sysnet_dns_name_resolve().
>>
>> [...]
>>
>>> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
>>> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
>>
>> [...]
>>
>>> @@ -169,7 +173,7 @@ optional_policy(`
>>>
>>>    #
>>>    
>>>    allow boinc_project_t self:capability { setgid setuid };
>>>
>>> -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
>>> setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
>>> self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
>>> setsched signal signal_perms };
>> This change shouldn't be necessary since signal is already in signal_perms.
>>
>> [...]
>>
>>> --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
>>> +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
>>> @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
>>>
>>>    #######################################
>>>    ## <summary>
>>>
>>> +##	relabel the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##	<summary>
>>> +##	Domain allowed access.
>>> +##	</summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_relabel_lastlog',`
>>> +	gen_require(`
>>> +		type lastlog_t;
>>> +	')
>>> +
>>> +	logging_search_logs($1)
>>> +	allow $1 lastlog_t:file { relabelfrom relabelto };
>>> +')
>>> +
>>> +#######################################
>>> +## <summary>
>>>
>>>    ##	Read and write to the last logins log.
>>>    ## </summary>
>>>    ## <param name="domain">
>>>
>>> @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
>>>
>>>    ')
>>>    
>>>    ########################################
>>>
>>> +## <summary>
>>> +##     Manage the last logins log.
>>> +## </summary>
>>> +## <param name="domain">
>>> +##     <summary>
>>> +##     Domain allowed access.
>>> +##     </summary>
>>> +## </param>
>>> +#
>>> +interface(`auth_manage_lastlog',`
>>> +	gen_require(`
>>> +		type lastlog_t;
>>> +	')
>>> +
>>> +	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
>>
>> The relabel perms shouldn't be in here.  I'd say split it into a new
>> interface, but you're adding the other interface earlier in the patch.
> 
> 

-- 
Chris PeBenito