[PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

[PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

[Russell Coker]

Lots of little stuff.

Also the sysnet_dns_name_resolve() change the previous patch needed.

Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.if
@@ -755,6 +755,10 @@ interface(`sysnet_dns_name_resolve',`
 	optional_policy(`
 		nscd_use($1)
 	')
+	optional_policy(`
+	# for /etc/resolv.conf symlink
+		networkmanager_read_pid_files($1)
+	')
 
 	ifdef(`init_systemd',`
 		optional_policy(`
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
 allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
 
 logging_send_syslog_msg(ifconfig_t)
 
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
 allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
+	dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
 ')
@@ -269,6 +273,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	unconfined_use_fds(groupadd_t)
+')
+
 ########################################
 #
 # Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(useradd_t)
 	dpkg_rw_pipes(useradd_t)
 ')
@@ -560,3 +572,7 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180701/policy/modules/admin/apt.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.if
+++ refpolicy-2.20180701/policy/modules/admin/apt.if
@@ -171,7 +171,7 @@ interface(`apt_read_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir list_dir_perms;
-	allow $1 apt_var_cache_t:file read_file_perms;
+	allow $1 apt_var_cache_t:file mmap_read_file_perms;
 ')
 
 ########################################
@@ -191,7 +191,7 @@ interface(`apt_manage_cache',`
 
 	files_search_var($1)
 	allow $1 apt_var_cache_t:dir manage_dir_perms;
-	allow $1 apt_var_cache_t:file manage_file_perms;
+	allow $1 apt_var_cache_t:file { manage_file_perms map };
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
Index: refpolicy-2.20180701/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
@@ -306,10 +306,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	lvm_domtrans(udev_t)
-')
-
-optional_policy(`
 	fstools_domtrans(udev_t)
 ')
 
@@ -328,6 +324,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_domtrans(udev_t)
+	iptables_write_pipe(udev_t)
+')
+
+optional_policy(`
 	lvm_domtrans(udev_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/system/iptables.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
+++ refpolicy-2.20180701/policy/modules/system/iptables.if
@@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
 
 ########################################
 ## <summary>
+##	Allow iptables to write to a pipe
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain to be written to
+##	</summary>
+## </param>
+#
+interface(`iptables_write_pipe',`
+	gen_require(`
+		type iptables_t;
+	')
+
+	allow iptables_t $1:fifo_file write;
+')
+
+########################################
+## <summary>
 ##	Execute iptables in the iptables domain, and
 ##	allow the specified role the iptables domain.
 ## </summary>
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 fs_list_inotifyfs(logrotate_t)
 fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180701/policy/modules/services/gpm.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gpm.if
+++ refpolicy-2.20180701/policy/modules/services/gpm.if
@@ -59,6 +59,7 @@ interface(`gpm_dontaudit_getattr_gpmctl'
 	')
 
 	dontaudit $1 gpmctl_t:sock_file getattr_sock_file_perms;
+	dontaudit $1 gpmctl_t:fifo_file getattr_fifo_file_perms;
 ')
 
 ########################################

Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

[Chris PeBenito]

On 1/2/19 3:45 AM, Russell Coker wrote:
> Lots of little stuff.
> 
> Also the sysnet_dns_name_resolve() change the previous patch needed.
> 
[...]

> --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
>   # Local policy
>   #
>   
> -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };

Since you're getting the dac_read_search denial, the dac_override 
probably isn't necessary anymore.  Can you retest without it?



[...]
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20180701/policy/modules/system/udev.te
[...]

> @@ -328,6 +324,11 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	iptables_domtrans(udev_t)
> +	iptables_write_pipe(udev_t)

I'm not clear why this separate pipe interface is necessary, as that 
access should be provided by the domtrans interface already.


> --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
>   
>   ########################################
>   ## <summary>
> +##	Allow iptables to write to a pipe
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain to be written to
> +##	</summary>
> +## </param>
> +#
> +interface(`iptables_write_pipe',`

Should be iptables_write_inherited_pipe().

> +	gen_require(`
> +		type iptables_t;
> +	')
> +
> +	allow iptables_t $1:fifo_file write;
> +')
> +

-- 
Chris PeBenito

Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

[Jason Zaman]

On Wed, Jan 02, 2019 at 07:07:19PM -0500, Chris PeBenito wrote:
> On 1/2/19 3:45 AM, Russell Coker wrote:
> > Lots of little stuff.
> > 
> > Also the sysnet_dns_name_resolve() change the previous patch needed.
> > 
> [...]
> 
> > --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> > +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> > @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> >   # Local policy
> >   #
> >   
> > -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> > +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> 
> Since you're getting the dac_read_search denial, the dac_override 
> probably isn't necessary anymore.  Can you retest without it?

No, consolekit definitely needs dac_override. It needs to be able to
nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
say grant the perm instead of dontaudit makes things easier if doing
semodule -DB.
> 
> 
> 
> [...]
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> > +++ refpolicy-2.20180701/policy/modules/system/udev.te
> [...]
> 
> > @@ -328,6 +324,11 @@ optional_policy(`
> >   ')
> >   
> >   optional_policy(`
> > +	iptables_domtrans(udev_t)
> > +	iptables_write_pipe(udev_t)
> 
> I'm not clear why this separate pipe interface is necessary, as that 
> access should be provided by the domtrans interface already.
> 
> 
> > --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> > +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> > @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
> >   
> >   ########################################
> >   ## <summary>
> > +##	Allow iptables to write to a pipe
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain to be written to
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`iptables_write_pipe',`
> 
> Should be iptables_write_inherited_pipe().
> 
> > +	gen_require(`
> > +		type iptables_t;
> > +	')
> > +
> > +	allow iptables_t $1:fifo_file write;
> > +')
> > +
> 
> -- 
> Chris PeBenito

Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

[Russell Coker]

On Thursday, 3 January 2019 4:16:14 PM AEDT Jason Zaman wrote:
> > > -allow consolekit_t self:capability { chown dac_override fowner setgid
> > > setuid sys_admin sys_nice sys_ptrace sys_tty_config }; +allow
> > > consolekit_t self:capability { chown dac_override dac_read_search
> > > fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };> 
> > Since you're getting the dac_read_search denial, the dac_override
> > probably isn't necessary anymore.  Can you retest without it?
> 
> No, consolekit definitely needs dac_override. It needs to be able to
> nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
> say grant the perm instead of dontaudit makes things easier if doing
> semodule -DB.

Thanks for that comment.

As an aside we might consider a policy of having all capabilities documented 
in future.  For the existing policy it's going to be an unpleasant task to 
comment things.  But for greenfields stuff I think it makes sense to require 
it.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/