From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc services patches
Date: Sat, 5 Jan 2019 13:34:31 -0500 [thread overview]
Message-ID: <d632cbef-182d-b5cd-95f1-ed3c9fb0b4a2@ieee.org> (raw)
In-Reply-To: <20190104073357.GB11256@aaa.coker.com.au>
On 1/4/19 2:33 AM, Russell Coker wrote:
> Lots of little patches to services.
>
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
> # Local policy
> #
>
> -allow boinc_t self:process { setsched setpgid signull sigkill };
> +allow boinc_t self:process { setsched setpgid signull sigkill signal };
> allow boinc_t self:unix_stream_socket { accept listen };
> allow boinc_t self:tcp_socket { accept listen };
> allow boinc_t self:shm create_shm_perms;
> @@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
>
> can_exec(boinc_t, boinc_var_lib_t)
> libs_exec_lib_files(boinc_t)
> +# for mmap of ld.so.cache
> +libs_legacy_use_ld_so(boinc_t)
>
> domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>
> kernel_read_system_state(boinc_t)
> kernel_search_vm_sysctl(boinc_t)
> kernel_read_crypto_sysctls(boinc_t)
> +kernel_read_kernel_sysctls(boinc_t)
>
> corenet_all_recvfrom_unlabeled(boinc_t)
> corenet_all_recvfrom_netlabel(boinc_t)
> @@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
> logging_send_syslog_msg(boinc_t)
>
> miscfiles_read_fonts(boinc_t)
> +miscfiles_read_generic_certs(boinc_t)
> miscfiles_read_localization(boinc_t)
>
> tunable_policy(`boinc_execmem',`
> @@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
> userdom_getattr_user_ttys(boinc_t)
>
> optional_policy(`
> + # for lsb_release -a
> + apt_read_cache(boinc_t)
> + apt_read_db(boinc_t)
> + dpkg_exec(boinc_t)
> + dpkg_read_db(boinc_t)
> +
> + apt_read_cache(boinc_project_t)
> + apt_read_db(boinc_project_t)
> + dpkg_exec(boinc_project_t)
> + dpkg_read_db(boinc_project_t)
> +')
> +
> +optional_policy(`
> java_exec(boinc_project_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> # Local policy
> #
>
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> allow consolekit_t self:process { getsched signal setfscreate };
> allow consolekit_t self:fifo_file rw_fifo_file_perms;
> allow consolekit_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
> kernel_read_system_state(devicekit_t)
>
> dev_read_sysfs(devicekit_t)
> +dev_read_rand(devicekit_t)
> dev_read_urand(devicekit_t)
>
> files_read_etc_files(devicekit_t)
> Index: refpolicy-2.20180701/policy/modules/services/dictd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
> +++ refpolicy-2.20180701/policy/modules/services/dictd.te
> @@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
> userdom_dontaudit_use_unpriv_user_fds(dictd_t)
>
> optional_policy(`
> + dbus_system_bus_client(dictd_t)
> +')
> +
> +optional_policy(`
> seutil_sigchld_newrole(dictd_t)
> ')
>
> Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
> +++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
> dev_read_urand(fetchmail_t)
>
> files_read_etc_runtime_files(fetchmail_t)
> +files_read_usr_files(fetchmail_t)
> files_search_tmp(fetchmail_t)
> files_dontaudit_search_home(fetchmail_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
> @@ -5,3 +5,4 @@
> /usr/bin/gdomap -- gen_context(system_u:object_r:gdomap_exec_t,s0)
>
> /run/gdomap\.pid -- gen_context(system_u:object_r:gdomap_var_run_t,s0)
> +/run/gdomap(/.*)? gen_context(system_u:object_r:gdomap_var_run_t,s0)
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.te
> @@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
> allow gdomap_t self:tcp_socket { listen accept };
>
> allow gdomap_t gdomap_var_run_t:file manage_file_perms;
> +# gdomap_var_run_t dir is for chroot
> +allow gdomap_t gdomap_var_run_t:dir search;
> files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
>
> corenet_sendrecv_gdomap_server_packets(gdomap_t)
> @@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
> auth_use_nsswitch(gdomap_t)
>
> logging_send_syslog_msg(gdomap_t)
> +
> +miscfiles_read_localization(gdomap_t)
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
>
> fs_getattr_all_fs(irqbalance_t)
> fs_search_auto_mountpoints(irqbalance_t)
> +fs_search_tmpfs(irqbalance_t)
>
> domain_use_interactive_fds(irqbalance_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20180701/policy/modules/services/jabber.te
> @@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
> allow jabberd_domain self:tcp_socket { accept listen };
>
> manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
> +allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
>
> kernel_read_system_state(jabberd_domain)
>
> @@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
> corenet_tcp_sendrecv_generic_if(jabberd_domain)
> corenet_tcp_sendrecv_generic_node(jabberd_domain)
> corenet_tcp_bind_generic_node(jabberd_domain)
> +corenet_udp_bind_generic_node(jabberd_domain)
>
> dev_read_urand(jabberd_domain)
> dev_read_sysfs(jabberd_domain)
> Index: refpolicy-2.20180701/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20180701/policy/modules/services/mon.te
> @@ -161,6 +161,7 @@ optional_policy(`
>
> allow mon_local_test_t self:capability sys_admin;
> allow mon_local_test_t self:fifo_file rw_file_perms;
> +allow mon_local_test_t self:process getsched;
>
> can_exec(mon_local_test_t, mon_local_test_exec_t)
>
> @@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
>
> kernel_dontaudit_getattr_core_if(mon_local_test_t)
> kernel_getattr_proc(mon_local_test_t)
> +# for ps
> +kernel_read_kernel_sysctls(mon_local_test_t)
> kernel_read_software_raid_state(mon_local_test_t)
> kernel_read_system_state(mon_local_test_t)
>
> @@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
>
> logging_send_syslog_msg(mon_local_test_t)
>
> +miscfiles_read_generic_certs(mon_t)
> miscfiles_read_localization(mon_local_test_t)
>
> sysnet_read_config(mon_local_test_t)
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
> allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
> allow NetworkManager_t self:packet_socket create_socket_perms;
> allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
>
> allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
>
> Index: refpolicy-2.20180701/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20180701/policy/modules/services/policykit.te
> @@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
>
> optional_policy(`
> dbus_system_domain(policykit_t, policykit_exec_t)
> + init_dbus_chat(policykit_t)
>
> userdom_dbus_send_all_users(policykit_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> @@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
> manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
> manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>
> +optional_policy(`
> + init_dbus_chat(postfix_bounce_t)
> +')
> +
> ########################################
> #
> # Cleanup local policy
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -248,6 +248,9 @@ optional_policy(`
> # sshd_t is the domain for the sshd program.
> #
>
> +# for /run/user/UID/bus access, probably pam_systemd.so
> +allow sshd_t self:capability dac_read_search;
> +
> # so a tunnel can point to another ssh tunnel
> allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
> allow sshd_t self:key { search link write };
> Index: refpolicy-2.20180701/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20180701/policy/modules/services/tor.te
> @@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
> corenet_tcp_sendrecv_all_reserved_ports(tor_t)
>
> dev_read_sysfs(tor_t)
> +dev_read_rand(tor_t)
> dev_read_urand(tor_t)
>
> domain_use_interactive_fds(tor_t)
> @@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
>
> logging_send_syslog_msg(tor_t)
>
> +miscfiles_read_generic_certs(tor_t)
> miscfiles_read_localization(tor_t)
>
> tunable_policy(`tor_bind_all_unreserved_ports',`
Merged.
--
Chris PeBenito
next prev parent reply other threads:[~2019-01-05 19:39 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-04 7:33 [PATCH] misc services patches Russell Coker
2019-01-05 18:34 ` Chris PeBenito [this message]
2021-01-20 10:08 Russell Coker
2021-01-20 14:53 ` Dominick Grift
2021-01-21 13:25 ` Russell Coker
2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
2021-01-22 7:02 ` Dominick Grift
2021-02-03 4:08 Russell Coker
2021-02-03 18:06 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=d632cbef-182d-b5cd-95f1-ed3c9fb0b4a2@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).