SELinux-Refpolicy Archive on lore.kernel.org
 help / Atom feed
* [PATCH] misc services patches
@ 2019-01-04  7:33 Russell Coker
  2019-01-05 18:34 ` Chris PeBenito
  0 siblings, 1 reply; 2+ messages in thread
From: Russell Coker @ 2019-01-04  7:33 UTC (permalink / raw)
  To: selinux-refpolicy

Lots of little patches to services.

Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
 userdom_getattr_user_ttys(boinc_t)
 
 optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_t)
+	apt_read_db(boinc_t)
+	dpkg_exec(boinc_t)
+	dpkg_read_db(boinc_t)
+
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
 	java_exec(boinc_project_t)
 ')
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
+miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: [PATCH] misc services patches
  2019-01-04  7:33 [PATCH] misc services patches Russell Coker
@ 2019-01-05 18:34 ` Chris PeBenito
  0 siblings, 0 replies; 2+ messages in thread
From: Chris PeBenito @ 2019-01-05 18:34 UTC (permalink / raw)
  To: Russell Coker, selinux-refpolicy

On 1/4/19 2:33 AM, Russell Coker wrote:
> Lots of little patches to services.
> 
> Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> @@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
>   # Local policy
>   #
>   
> -allow boinc_t self:process { setsched setpgid signull sigkill };
> +allow boinc_t self:process { setsched setpgid signull sigkill signal };
>   allow boinc_t self:unix_stream_socket { accept listen };
>   allow boinc_t self:tcp_socket { accept listen };
>   allow boinc_t self:shm create_shm_perms;
> @@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
>   
>   can_exec(boinc_t, boinc_var_lib_t)
>   libs_exec_lib_files(boinc_t)
> +# for mmap of ld.so.cache
> +libs_legacy_use_ld_so(boinc_t)
>   
>   domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
>   
>   kernel_read_system_state(boinc_t)
>   kernel_search_vm_sysctl(boinc_t)
>   kernel_read_crypto_sysctls(boinc_t)
> +kernel_read_kernel_sysctls(boinc_t)
>   
>   corenet_all_recvfrom_unlabeled(boinc_t)
>   corenet_all_recvfrom_netlabel(boinc_t)
> @@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
>   logging_send_syslog_msg(boinc_t)
>   
>   miscfiles_read_fonts(boinc_t)
> +miscfiles_read_generic_certs(boinc_t)
>   miscfiles_read_localization(boinc_t)
>   
>   tunable_policy(`boinc_execmem',`
> @@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
>   userdom_getattr_user_ttys(boinc_t)
>   
>   optional_policy(`
> +	# for lsb_release -a
> +	apt_read_cache(boinc_t)
> +	apt_read_db(boinc_t)
> +	dpkg_exec(boinc_t)
> +	dpkg_read_db(boinc_t)
> +
> +	apt_read_cache(boinc_project_t)
> +	apt_read_db(boinc_project_t)
> +	dpkg_exec(boinc_project_t)
> +	dpkg_read_db(boinc_project_t)
> +')
> +
> +optional_policy(`
>   	java_exec(boinc_project_t)
>   ')
> Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
>   # Local policy
>   #
>   
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
>   allow consolekit_t self:process { getsched signal setfscreate };
>   allow consolekit_t self:fifo_file rw_fifo_file_perms;
>   allow consolekit_t self:unix_stream_socket { accept listen };
> Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20180701/policy/modules/services/devicekit.te
> @@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
>   kernel_read_system_state(devicekit_t)
>   
>   dev_read_sysfs(devicekit_t)
> +dev_read_rand(devicekit_t)
>   dev_read_urand(devicekit_t)
>   
>   files_read_etc_files(devicekit_t)
> Index: refpolicy-2.20180701/policy/modules/services/dictd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
> +++ refpolicy-2.20180701/policy/modules/services/dictd.te
> @@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
>   userdom_dontaudit_use_unpriv_user_fds(dictd_t)
>   
>   optional_policy(`
> +	dbus_system_bus_client(dictd_t)
> +')
> +
> +optional_policy(`
>   	seutil_sigchld_newrole(dictd_t)
>   ')
>   
> Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
> +++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
> @@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
>   dev_read_urand(fetchmail_t)
>   
>   files_read_etc_runtime_files(fetchmail_t)
> +files_read_usr_files(fetchmail_t)
>   files_search_tmp(fetchmail_t)
>   files_dontaudit_search_home(fetchmail_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
> @@ -5,3 +5,4 @@
>   /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
>   
>   /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
> +/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
> Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
> +++ refpolicy-2.20180701/policy/modules/services/gdomap.te
> @@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
>   allow gdomap_t self:tcp_socket { listen accept };
>   
>   allow gdomap_t gdomap_var_run_t:file manage_file_perms;
> +# gdomap_var_run_t dir is for chroot
> +allow gdomap_t gdomap_var_run_t:dir search;
>   files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
>   
>   corenet_sendrecv_gdomap_server_packets(gdomap_t)
> @@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
>   auth_use_nsswitch(gdomap_t)
>   
>   logging_send_syslog_msg(gdomap_t)
> +
> +miscfiles_read_localization(gdomap_t)
> Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
> +++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
> @@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
>   
>   fs_getattr_all_fs(irqbalance_t)
>   fs_search_auto_mountpoints(irqbalance_t)
> +fs_search_tmpfs(irqbalance_t)
>   
>   domain_use_interactive_fds(irqbalance_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/jabber.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
> +++ refpolicy-2.20180701/policy/modules/services/jabber.te
> @@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
>   allow jabberd_domain self:tcp_socket { accept listen };
>   
>   manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
> +allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
>   
>   kernel_read_system_state(jabberd_domain)
>   
> @@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
>   corenet_tcp_sendrecv_generic_if(jabberd_domain)
>   corenet_tcp_sendrecv_generic_node(jabberd_domain)
>   corenet_tcp_bind_generic_node(jabberd_domain)
> +corenet_udp_bind_generic_node(jabberd_domain)
>   
>   dev_read_urand(jabberd_domain)
>   dev_read_sysfs(jabberd_domain)
> Index: refpolicy-2.20180701/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20180701/policy/modules/services/mon.te
> @@ -161,6 +161,7 @@ optional_policy(`
>   
>   allow mon_local_test_t self:capability sys_admin;
>   allow mon_local_test_t self:fifo_file rw_file_perms;
> +allow mon_local_test_t self:process getsched;
>   
>   can_exec(mon_local_test_t, mon_local_test_exec_t)
>   
> @@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
>   
>   kernel_dontaudit_getattr_core_if(mon_local_test_t)
>   kernel_getattr_proc(mon_local_test_t)
> +# for ps
> +kernel_read_kernel_sysctls(mon_local_test_t)
>   kernel_read_software_raid_state(mon_local_test_t)
>   kernel_read_system_state(mon_local_test_t)
>   
> @@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
>   
>   logging_send_syslog_msg(mon_local_test_t)
>   
> +miscfiles_read_generic_certs(mon_t)
>   miscfiles_read_localization(mon_local_test_t)
>   
>   sysnet_read_config(mon_local_test_t)
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
>   allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
>   allow NetworkManager_t self:packet_socket create_socket_perms;
>   allow NetworkManager_t self:socket create_socket_perms;
> +allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
>   
>   allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
>   
> Index: refpolicy-2.20180701/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20180701/policy/modules/services/policykit.te
> @@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
>   
>   optional_policy(`
>   	dbus_system_domain(policykit_t, policykit_exec_t)
> +	init_dbus_chat(policykit_t)
>   
>   	userdom_dbus_send_all_users(policykit_t)
>   
> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> @@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
>   manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>   manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
>   
> +optional_policy(`
> +	init_dbus_chat(postfix_bounce_t)
> +')
> +
>   ########################################
>   #
>   # Cleanup local policy
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -248,6 +248,9 @@ optional_policy(`
>   # sshd_t is the domain for the sshd program.
>   #
>   
> +# for /run/user/UID/bus access, probably pam_systemd.so
> +allow sshd_t self:capability dac_read_search;
> +
>   # so a tunnel can point to another ssh tunnel
>   allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
>   allow sshd_t self:key { search link write };
> Index: refpolicy-2.20180701/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20180701/policy/modules/services/tor.te
> @@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
>   corenet_tcp_sendrecv_all_reserved_ports(tor_t)
>   
>   dev_read_sysfs(tor_t)
> +dev_read_rand(tor_t)
>   dev_read_urand(tor_t)
>   
>   domain_use_interactive_fds(tor_t)
> @@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
>   
>   logging_send_syslog_msg(tor_t)
>   
> +miscfiles_read_generic_certs(tor_t)
>   miscfiles_read_localization(tor_t)
>   
>   tunable_policy(`tor_bind_all_unreserved_ports',`

Merged.

-- 
Chris PeBenito

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, back to index

Thread overview: 2+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-01-04  7:33 [PATCH] misc services patches Russell Coker
2019-01-05 18:34 ` Chris PeBenito

SELinux-Refpolicy Archive on lore.kernel.org

Archives are clonable:
	git clone --mirror https://lore.kernel.org/selinux-refpolicy/0 selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ https://lore.kernel.org/selinux-refpolicy \
		selinux-refpolicy@vger.kernel.org selinux-refpolicy@archiver.kernel.org
	public-inbox-index selinux-refpolicy


Newsgroup available over NNTP:
	nntp://nntp.lore.kernel.org/org.kernel.vger.selinux-refpolicy


AGPL code for this site: git clone https://public-inbox.org/ public-inbox