SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] tiny stuff for today
@ 2019-01-22  9:00 Russell Coker
  2019-01-22  9:17 ` Dominick Grift
  2019-01-23 23:27 ` Chris PeBenito
  0 siblings, 2 replies; 4+ messages in thread
From: Russell Coker @ 2019-01-22  9:00 UTC (permalink / raw)
  To: selinux-refpolicy

Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.

Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
 
 	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
 ')
+
+########################################
+## <summary>
+##	Transition to dpkg_t when NNP has been set
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_nnp_transition',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:process2 nnp_transition;
+')
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -456,8 +456,8 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
-allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
+allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
@@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
 kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
+files_exec_usr_files(system_cronjob_t)
 files_read_etc_runtime_files(system_cronjob_t)
 files_list_all(system_cronjob_t)
 files_getattr_all_dirs(system_cronjob_t)
@@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
 libs_exec_lib_files(system_cronjob_t)
 libs_exec_ld_so(system_cronjob_t)
 
-logging_read_generic_logs(system_cronjob_t)
+logging_manage_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
@@ -675,6 +677,9 @@ optional_policy(`
 
 optional_policy(`
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+
+	# for gpg-connect-agent to access /run/user/0
+	userdom_manage_user_runtime_dirs(system_cronjob_t)
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
 
 kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
@@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
 dev_getattr_all_chr_files(NetworkManager_t)
 dev_rw_wireless(NetworkManager_t)
 
+# for access(2)
+dev_write_sysfs_dirs(NetworkManager_t)
+
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_all_domains_state(NetworkManager_t)
 
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -147,6 +147,7 @@ type xauth_t;
 type xauth_exec_t;
 typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
 typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+userdom_manage_user_tmp_dirs(xauth_t)
 userdom_user_application_domain(xauth_t, xauth_exec_t)
 
 type xauth_home_t;
@@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
+xserver_stream_connect(xauth_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(xauth_t)
Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180701/policy/modules/system/unconfined.te
@@ -89,6 +89,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_nnp_transition(unconfined_t)
 	dpkg_run(unconfined_t, unconfined_r)
 ')
 
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
 
 fs_getattr_xattr_fs(kmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
+fs_search_tracefs(kmod_t)
 
 init_rw_initctl(kmod_t)
 init_use_fds(kmod_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
-fs_search_cgroup_dirs(systemd_nspawn_t)
+fs_remount_xattr_fs(systemd_nspawn_t)
+fs_read_cgroup_files(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] tiny stuff for today
  2019-01-22  9:00 [PATCH] tiny stuff for today Russell Coker
@ 2019-01-22  9:17 ` Dominick Grift
  2019-01-22 20:08   ` Russell Coker
  2019-01-23 23:27 ` Chris PeBenito
  1 sibling, 1 reply; 4+ messages in thread
From: Dominick Grift @ 2019-01-22  9:17 UTC (permalink / raw)
  To: Russell Coker; +Cc: selinux-refpolicy\

Russell Coker <russell@coker.com.au> writes:

> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.

You misunderstood. This is ok to allow, but without the
nnp_nosuid_transition policy capability set these processes setting nnp
would potentially cause issues with SELinux.

>
> Lots of little stuff for system_cronjob_t.
>
> Other minor trivial changes that should be obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>  
>  	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>  ')
> +
> +########################################
> +## <summary>
> +##	Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
>  # System local policy
>  #
>  
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
>  allow system_cronjob_t self:fd use;
>  allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>  allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
>  kernel_getattr_message_if(system_cronjob_t)
>  
>  kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
>  kernel_read_kernel_sysctls(system_cronjob_t)
>  kernel_read_network_state(system_cronjob_t)
>  kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
>  domain_dontaudit_read_all_domains_state(system_cronjob_t)
>  
>  files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
>  files_read_etc_runtime_files(system_cronjob_t)
>  files_list_all(system_cronjob_t)
>  files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
>  libs_exec_lib_files(system_cronjob_t)
>  libs_exec_ld_so(system_cronjob_t)
>  
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
>  logging_send_audit_msgs(system_cronjob_t)
>  logging_send_syslog_msg(system_cronjob_t)
>  
> @@ -675,6 +677,9 @@ optional_policy(`
>  
>  optional_policy(`
>  	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> +	# for gpg-connect-agent to access /run/user/0
> +	userdom_manage_user_runtime_dirs(system_cronjob_t)
>  ')
>  
>  ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
>  manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>  files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>  
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>  
>  kernel_read_crypto_sysctls(NetworkManager_t)
>  kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
>  dev_getattr_all_chr_files(NetworkManager_t)
>  dev_rw_wireless(NetworkManager_t)
>  
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
>  domain_use_interactive_fds(NetworkManager_t)
>  domain_read_all_domains_state(NetworkManager_t)
>  
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
>  type xauth_exec_t;
>  typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>  typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
>  userdom_user_application_domain(xauth_t, xauth_exec_t)
>  
>  type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
>  userdom_read_user_tmp_files(xauth_t)
>  
>  xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>  
>  tunable_policy(`use_nfs_home_dirs',`
>  	fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
>  ')
>  
>  optional_policy(`
> +	dpkg_nnp_transition(unconfined_t)
>  	dpkg_run(unconfined_t, unconfined_r)
>  ')
>  
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>  
>  fs_getattr_xattr_fs(kmod_t)
>  fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>  
>  init_rw_initctl(kmod_t)
>  init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
>  fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>  fs_mount_tmpfs(systemd_nspawn_t)
>  fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>  
>  term_getattr_generic_ptys(systemd_nspawn_t)
>  term_getattr_pty_fs(systemd_nspawn_t)

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] tiny stuff for today
  2019-01-22  9:17 ` Dominick Grift
@ 2019-01-22 20:08   ` Russell Coker
  0 siblings, 0 replies; 4+ messages in thread
From: Russell Coker @ 2019-01-22 20:08 UTC (permalink / raw)
  To: Dominick Grift; +Cc: selinux-refpolicy

On Tuesday, 22 January 2019 8:17:15 PM AEDT Dominick Grift wrote:
> > Allow transition to dpkg_t with nnp, Dominick seems to imply this
> > shouldn't
> > be necessary.
> 
> You misunderstood. This is ok to allow, but without the
> nnp_nosuid_transition policy capability set these processes setting nnp
> would potentially cause issues with SELinux.

OK thanks for the clarification.  Debian has nnp_nosuid_transition=1 so it's 
all good.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/




^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [PATCH] tiny stuff for today
  2019-01-22  9:00 [PATCH] tiny stuff for today Russell Coker
  2019-01-22  9:17 ` Dominick Grift
@ 2019-01-23 23:27 ` Chris PeBenito
  1 sibling, 0 replies; 4+ messages in thread
From: Chris PeBenito @ 2019-01-23 23:27 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/22/19 4:00 AM, Russell Coker wrote:
> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.
> 
> Lots of little stuff for system_cronjob_t.
> 
> Other minor trivial changes that should be obvious.
> 
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>   
>   	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
>   ')
> +
> +########################################
> +## <summary>
> +##	Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> +	gen_require(`
> +		type dpkg_t;
> +	')
> +
> +	allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
>   # System local policy
>   #
>   
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
>   allow system_cronjob_t self:fd use;
>   allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
>   allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
>   kernel_getattr_message_if(system_cronjob_t)
>   
>   kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
>   kernel_read_kernel_sysctls(system_cronjob_t)
>   kernel_read_network_state(system_cronjob_t)
>   kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
>   domain_dontaudit_read_all_domains_state(system_cronjob_t)
>   
>   files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
>   files_read_etc_runtime_files(system_cronjob_t)
>   files_list_all(system_cronjob_t)
>   files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
>   libs_exec_lib_files(system_cronjob_t)
>   libs_exec_ld_so(system_cronjob_t)
>   
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
>   logging_send_audit_msgs(system_cronjob_t)
>   logging_send_syslog_msg(system_cronjob_t)
>   
> @@ -675,6 +677,9 @@ optional_policy(`
>   
>   optional_policy(`
>   	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> +	# for gpg-connect-agent to access /run/user/0
> +	userdom_manage_user_runtime_dirs(system_cronjob_t)
>   ')
>   
>   ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
>   manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
>   files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>   
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>   
>   kernel_read_crypto_sysctls(NetworkManager_t)
>   kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
>   dev_getattr_all_chr_files(NetworkManager_t)
>   dev_rw_wireless(NetworkManager_t)
>   
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
>   domain_use_interactive_fds(NetworkManager_t)
>   domain_read_all_domains_state(NetworkManager_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
>   type xauth_exec_t;
>   typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
>   typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
>   userdom_user_application_domain(xauth_t, xauth_exec_t)
>   
>   type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
>   userdom_read_user_tmp_files(xauth_t)
>   
>   xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>   
>   tunable_policy(`use_nfs_home_dirs',`
>   	fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dpkg_nnp_transition(unconfined_t)
>   	dpkg_run(unconfined_t, unconfined_r)
>   ')
>   
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>   
>   fs_getattr_xattr_fs(kmod_t)
>   fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>   
>   init_rw_initctl(kmod_t)
>   init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
>   fs_manage_tmpfs_chr_files(systemd_nspawn_t)
>   fs_mount_tmpfs(systemd_nspawn_t)
>   fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>   
>   term_getattr_generic_ptys(systemd_nspawn_t)
>   term_getattr_pty_fs(systemd_nspawn_t)

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, back to index

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-22  9:00 [PATCH] tiny stuff for today Russell Coker
2019-01-22  9:17 ` Dominick Grift
2019-01-22 20:08   ` Russell Coker
2019-01-23 23:27 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox