* [refpolicy] [PATCH 01/12] More .maildir fixes
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:36 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 02/12] Mark make.profile entry as portage_conf_t (v2) Sven Vermeulen
` (10 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
A previous commit provided initial support for ~/.maildir as a mail home
directory. This patch further implements this by adding the necessary named
file transitions where one for "~/Maildir" already existed.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
dovecot.te | 1 +
mta.te | 1 +
procmail.te | 1 +
uwimap.te | 1 +
4 files changed, 4 insertions(+), 0 deletions(-)
diff --git a/dovecot.te b/dovecot.te
index 73c8686..b0f48ea 100644
--- a/dovecot.te
+++ b/dovecot.te
@@ -191,6 +191,7 @@ optional_policy(`
mta_manage_spool(dovecot_t)
mta_manage_mail_home_rw_content(dovecot_t)
mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
')
optional_policy(`
diff --git a/mta.te b/mta.te
index 8a14615..d77a86a 100644
--- a/mta.te
+++ b/mta.te
@@ -67,6 +67,7 @@ manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
+userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
diff --git a/procmail.te b/procmail.te
index 07d5c5a..ea25cb5 100644
--- a/procmail.te
+++ b/procmail.te
@@ -105,6 +105,7 @@ optional_policy(`
mta_read_queue(procmail_t)
mta_manage_mail_home_rw_content(procmail_t)
mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
')
optional_policy(`
diff --git a/uwimap.te b/uwimap.te
index 4e06a93..5d89b3f 100644
--- a/uwimap.te
+++ b/uwimap.te
@@ -91,6 +91,7 @@ optional_policy(`
mta_manage_spool(imapd_t)
mta_manage_mail_home_rw_content(imapd_t)
mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir")
+ mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir")
')
optional_policy(`
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 01/12] More .maildir fixes
2012-12-31 22:52 ` [refpolicy] [PATCH 01/12] More .maildir fixes Sven Vermeulen
@ 2013-01-01 10:36 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:36 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> A previous commit provided initial support for ~/.maildir as a mail home
> directory. This patch further implements this by adding the necessary named
> file transitions where one for "~/Maildir" already existed.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> dovecot.te | 1 +
> mta.te | 1 +
> procmail.te | 1 +
> uwimap.te | 1 +
> 4 files changed, 4 insertions(+), 0 deletions(-)
>
> diff --git a/dovecot.te b/dovecot.te
> index 73c8686..b0f48ea 100644
> --- a/dovecot.te
> +++ b/dovecot.te
> @@ -191,6 +191,7 @@ optional_policy(`
> mta_manage_spool(dovecot_t)
> mta_manage_mail_home_rw_content(dovecot_t)
> mta_home_filetrans_mail_home_rw(dovecot_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(dovecot_t, dir, ".maildir")
> ')
>
> optional_policy(`
> diff --git a/mta.te b/mta.te
> index 8a14615..d77a86a 100644
> --- a/mta.te
> +++ b/mta.te
> @@ -67,6 +67,7 @@ manage_dirs_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> manage_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> manage_lnk_files_pattern(user_mail_domain, mail_home_rw_t, mail_home_rw_t)
> userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, "Maildir")
> +userdom_user_home_dir_filetrans(user_mail_domain, mail_home_rw_t, dir, ".maildir")
>
> read_files_pattern(user_mail_domain, { etc_mail_t etc_aliases_t }, { etc_mail_t etc_aliases_t })
>
> diff --git a/procmail.te b/procmail.te
> index 07d5c5a..ea25cb5 100644
> --- a/procmail.te
> +++ b/procmail.te
> @@ -105,6 +105,7 @@ optional_policy(`
> mta_read_queue(procmail_t)
> mta_manage_mail_home_rw_content(procmail_t)
> mta_home_filetrans_mail_home_rw(procmail_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(procmail_t, dir, ".maildir")
> ')
>
> optional_policy(`
> diff --git a/uwimap.te b/uwimap.te
> index 4e06a93..5d89b3f 100644
> --- a/uwimap.te
> +++ b/uwimap.te
> @@ -91,6 +91,7 @@ optional_policy(`
> mta_manage_spool(imapd_t)
> mta_manage_mail_home_rw_content(imapd_t)
> mta_home_filetrans_mail_home_rw(imapd_t, dir, "Maildir")
> + mta_home_filetrans_mail_home_rw(imapd_t, dir, ".maildir")
> ')
>
> optional_policy(`
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 02/12] Mark make.profile entry as portage_conf_t (v2)
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
2012-12-31 22:52 ` [refpolicy] [PATCH 01/12] More .maildir fixes Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:37 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 03/12] Move mta call (coding style) Sven Vermeulen
` (9 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
Although the /etc/make.profile symlink is going to be removed in a matter of
time, it is currently still very much in use and should be marked as
portage_conf_t.
Fixed to use -l instead of -s in the file context.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
portage.fc | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/portage.fc b/portage.fc
index d044552..da4892c 100644
--- a/portage.fc
+++ b/portage.fc
@@ -1,5 +1,6 @@
/etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
/etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
+/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
/etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 02/12] Mark make.profile entry as portage_conf_t (v2)
2012-12-31 22:52 ` [refpolicy] [PATCH 02/12] Mark make.profile entry as portage_conf_t (v2) Sven Vermeulen
@ 2013-01-01 10:37 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:37 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Although the /etc/make.profile symlink is going to be removed in a matter of
> time, it is currently still very much in use and should be marked as
> portage_conf_t.
>
I would probably have left it etc_t but i have no problem with this
solution either, this was merged, thanks
> Fixed to use -l instead of -s in the file context.
>
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> portage.fc | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/portage.fc b/portage.fc
> index d044552..da4892c 100644
> --- a/portage.fc
> +++ b/portage.fc
> @@ -1,5 +1,6 @@
> /etc/make\.conf -- gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/make\.globals -- gen_context(system_u:object_r:portage_conf_t,s0)
> +/etc/make\.profile -l gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/portage(/.*)? gen_context(system_u:object_r:portage_conf_t,s0)
> /etc/portage/gpg(/.*)? gen_context(system_u:object_r:portage_gpg_t,s0)
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 03/12] Move mta call (coding style)
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
2012-12-31 22:52 ` [refpolicy] [PATCH 01/12] More .maildir fixes Sven Vermeulen
2012-12-31 22:52 ` [refpolicy] [PATCH 02/12] Mark make.profile entry as portage_conf_t (v2) Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:37 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 04/12] Changes to puppet domain Sven Vermeulen
` (8 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 8 ++++----
1 files changed, 4 insertions(+), 4 deletions(-)
diff --git a/puppet.te b/puppet.te
index 8266be4..1113f10 100644
--- a/puppet.te
+++ b/puppet.te
@@ -317,6 +317,10 @@ optional_policy(`
')
optional_policy(`
+ mta_send_mail(puppetmaster_t)
+')
+
+optional_policy(`
mysql_stream_connect(puppetmaster_t)
')
@@ -330,7 +334,3 @@ optional_policy(`
rpm_exec(puppetmaster_t)
rpm_read_db(puppetmaster_t)
')
-
-optional_policy(`
- mta_send_mail(puppetmaster_t)
-')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 03/12] Move mta call (coding style)
2012-12-31 22:52 ` [refpolicy] [PATCH 03/12] Move mta call (coding style) Sven Vermeulen
@ 2013-01-01 10:37 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:37 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This was merged, thanks
> ---
> puppet.te | 8 ++++----
> 1 files changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 8266be4..1113f10 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -317,6 +317,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mta_send_mail(puppetmaster_t)
> +')
> +
> +optional_policy(`
> mysql_stream_connect(puppetmaster_t)
> ')
>
> @@ -330,7 +334,3 @@ optional_policy(`
> rpm_exec(puppetmaster_t)
> rpm_read_db(puppetmaster_t)
> ')
> -
> -optional_policy(`
> - mta_send_mail(puppetmaster_t)
> -')
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 04/12] Changes to puppet domain
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (2 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 03/12] Move mta call (coding style) Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:39 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs Sven Vermeulen
` (7 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
The provided changes are needed for a puppet (client) to properly start up
and/or get its facts straight (= information on the current system state).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 8 +++++++-
1 files changed, 7 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index 1113f10..f3f1c1f 100644
--- a/puppet.te
+++ b/puppet.te
@@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket nlmsg_write;
allow puppet_t self:tcp_socket { accept listen };
+allow puppet_t self:udp_socket create_socket_perms;
allow puppet_t puppet_etc_t:dir list_dir_perms;
allow puppet_t puppet_etc_t:file read_file_perms;
@@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
+read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
@@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t)
kernel_read_system_state(puppet_t)
kernel_read_crypto_sysctls(puppet_t)
kernel_read_kernel_sysctls(puppet_t)
+kernel_read_net_sysctls(puppet_t)
+kernel_read_network_state(puppet_t)
corecmd_exec_bin(puppet_t)
corecmd_exec_shell(puppet_t)
@@ -119,6 +123,7 @@ files_read_usr_files(puppet_t)
files_read_usr_symlinks(puppet_t)
files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
+files_search_var_lib(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
@@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t)
seutil_domtrans_semanage(puppet_t)
sysnet_run_ifconfig(puppet_t, system_r)
+sysnet_use_ldap(puppet_t)
tunable_policy(`puppet_manage_all_files',`
files_manage_non_auth_files(puppet_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 04/12] Changes to puppet domain
2012-12-31 22:52 ` [refpolicy] [PATCH 04/12] Changes to puppet domain Sven Vermeulen
@ 2013-01-01 10:39 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:39 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> The provided changes are needed for a puppet (client) to properly start up
> and/or get its facts straight (= information on the current system state).
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> puppet.te | 8 +++++++-
> 1 files changed, 7 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 1113f10..f3f1c1f 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -58,11 +58,12 @@ files_tmp_file(puppetmaster_tmp_t)
> # Local policy
> #
>
> -allow puppet_t self:capability { fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket nlmsg_write;
> allow puppet_t self:tcp_socket { accept listen };
> +allow puppet_t self:udp_socket create_socket_perms;
>
> allow puppet_t puppet_etc_t:dir list_dir_perms;
> allow puppet_t puppet_etc_t:file read_file_perms;
> @@ -78,6 +79,7 @@ files_pid_filetrans(puppet_t, puppet_var_run_t, { file dir })
> allow puppet_t puppet_log_t:dir { create_dir_perms setattr_dir_perms };
> append_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> create_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> +read_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> setattr_files_pattern(puppet_t, puppet_log_t, puppet_log_t)
> logging_log_filetrans(puppet_t, puppet_log_t, { file dir })
>
> @@ -90,6 +92,8 @@ kernel_dontaudit_search_kernel_sysctl(puppet_t)
> kernel_read_system_state(puppet_t)
> kernel_read_crypto_sysctls(puppet_t)
> kernel_read_kernel_sysctls(puppet_t)
> +kernel_read_net_sysctls(puppet_t)
> +kernel_read_network_state(puppet_t)
>
> corecmd_exec_bin(puppet_t)
> corecmd_exec_shell(puppet_t)
> @@ -119,6 +123,7 @@ files_read_usr_files(puppet_t)
> files_read_usr_symlinks(puppet_t)
> files_relabel_config_dirs(puppet_t)
> files_relabel_config_files(puppet_t)
> +files_search_var_lib(puppet_t)
>
> selinux_search_fs(puppet_t)
> selinux_set_all_booleans(puppet_t)
> @@ -144,6 +149,7 @@ seutil_domtrans_setfiles(puppet_t)
> seutil_domtrans_semanage(puppet_t)
>
> sysnet_run_ifconfig(puppet_t, system_r)
> +sysnet_use_ldap(puppet_t)
>
> tunable_policy(`puppet_manage_all_files',`
> files_manage_non_auth_files(puppet_t)
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (3 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 04/12] Changes to puppet domain Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:43 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet Sven Vermeulen
` (6 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
Running exportfs gives a failure::
exportfs: /proc/fs/nfs/exports:2: unknown keyword
"uuid=98e15bcc:25161082:00000000:00000000"
A related denial::
Dec 19 14:42:24 hpl kernel: [21543.035535] type=1400 audit(1355924544.121:1506):
avc: denied { search } for pid=4139 comm="exportfs" name="/" dev="nfsd" ino=1
scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:nfsd_fs_t
tclass=dir
Granting fs_search_nfsd_t() provides what is needed to handle this properly.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
rpc.if | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/rpc.if b/rpc.if
index 694e1e8..3bd6446 100644
--- a/rpc.if
+++ b/rpc.if
@@ -415,4 +415,6 @@ interface(`rpc_admin',`
files_list_tmp($1)
admin_pattern($1, gssd_tmp_t)
+
+ fs_search_nfsd_fs($1)
')
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs
2012-12-31 22:52 ` [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs Sven Vermeulen
@ 2013-01-01 10:43 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:43 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Running exportfs gives a failure::
>
> exportfs: /proc/fs/nfs/exports:2: unknown keyword
> "uuid=98e15bcc:25161082:00000000:00000000"
>
> A related denial::
>
> Dec 19 14:42:24 hpl kernel: [21543.035535] type=1400 audit(1355924544.121:1506):
> avc: denied { search } for pid=4139 comm="exportfs" name="/" dev="nfsd" ino=1
> scontext=staff_u:sysadm_r:sysadm_t tcontext=system_u:object_r:nfsd_fs_t
> tclass=dir
>
> Granting fs_search_nfsd_t() provides what is needed to handle this properly.
>
This should probably just go into the sysadm policy instead of this
interface
you probably should not test these interfaces with sysadm because sysadm
already have a lot of privileges so chances are that this will not work
or be enough with for example a nfsadm_r role
I merged it nevertheless but please keep that in mind next time, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> rpc.if | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/rpc.if b/rpc.if
> index 694e1e8..3bd6446 100644
> --- a/rpc.if
> +++ b/rpc.if
> @@ -415,4 +415,6 @@ interface(`rpc_admin',`
>
> files_list_tmp($1)
> admin_pattern($1, gssd_tmp_t)
> +
> + fs_search_nfsd_fs($1)
> ')
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (4 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 05/12] Allow rpc admin to run exportfs Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:47 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 07/12] Puppet module helper scripts are puppet_var_lib_t Sven Vermeulen
` (5 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
While gathering information, puppet invokes lspci, which requires the sys_admin
capability.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index f3f1c1f..5a256e3 100644
--- a/puppet.te
+++ b/puppet.te
@@ -58,7 +58,7 @@ files_tmp_file(puppetmaster_tmp_t)
# Local policy
#
-allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
+allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
allow puppet_t self:netlink_route_socket nlmsg_write;
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet
2012-12-31 22:52 ` [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet Sven Vermeulen
@ 2013-01-01 10:47 ` grift
2013-01-01 10:50 ` Sven Vermeulen
0 siblings, 1 reply; 26+ messages in thread
From: grift @ 2013-01-01 10:47 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> While gathering information, puppet invokes lspci, which requires the sys_admin
> capability.
>
I gather that puppet loses functionality if this permission is
dontaudited?
sys_admin is a very broad capability
This was merged, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> puppet.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index f3f1c1f..5a256e3 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -58,7 +58,7 @@ files_tmp_file(puppetmaster_tmp_t)
> # Local policy
> #
>
> -allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_nice sys_tty_config };
> +allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> allow puppet_t self:netlink_route_socket nlmsg_write;
^ permalink raw reply [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet
2013-01-01 10:47 ` grift
@ 2013-01-01 10:50 ` Sven Vermeulen
0 siblings, 0 replies; 26+ messages in thread
From: Sven Vermeulen @ 2013-01-01 10:50 UTC (permalink / raw)
To: refpolicy
On Tue, Jan 1, 2013 at 11:47 AM, grift <dominick.grift@gmail.com> wrote:
> On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> > While gathering information, puppet invokes lspci, which requires the
> sys_admin
> > capability.
> >
>
> I gather that puppet loses functionality if this permission is
> dontaudited?
>
> sys_admin is a very broad capability
Yes; it is needed to gather the facts (configuration settings puppet
receives from a system and uses to build its decisions on) of the system.
Puppet is a system administration tool so it makes sense that it needs this
privilege. It prob
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20130101/169bcf2a/attachment.html
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 07/12] Puppet module helper scripts are puppet_var_lib_t
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (5 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 06/12] Grant sys_admin capability to puppet Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:47 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 08/12] Support netlink_route_socket creation for puppet Sven Vermeulen
` (4 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
these files. Another method would be to have the scripts marked bin_t, but as
these paths are depending on module names this does not seem feasible.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index 5a256e3..f627825 100644
--- a/puppet.te
+++ b/puppet.te
@@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
+can_exec(puppet_t, puppet_var_lib_t)
setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 07/12] Puppet module helper scripts are puppet_var_lib_t
2012-12-31 22:52 ` [refpolicy] [PATCH 07/12] Puppet module helper scripts are puppet_var_lib_t Sven Vermeulen
@ 2013-01-01 10:47 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:47 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> As the module helper scripts are puppet_var_lib_t, we allow puppet_t to execute
> these files. Another method would be to have the scripts marked bin_t, but as
> these paths are depending on module names this does not seem feasible.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> puppet.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 5a256e3..f627825 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -71,6 +71,7 @@ allow puppet_t puppet_etc_t:lnk_file read_lnk_file_perms;
>
> manage_dirs_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> manage_files_pattern(puppet_t, puppet_var_lib_t, puppet_var_lib_t)
> +can_exec(puppet_t, puppet_var_lib_t)
>
> setattr_dirs_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
> manage_files_pattern(puppet_t, puppet_var_run_t, puppet_var_run_t)
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 08/12] Support netlink_route_socket creation for puppet
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (6 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 07/12] Puppet module helper scripts are puppet_var_lib_t Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:48 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 09/12] Puppet initscript creates /run/puppet Sven Vermeulen
` (3 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 2 +-
1 files changed, 1 insertions(+), 1 deletions(-)
diff --git a/puppet.te b/puppet.te
index f627825..357a2f5 100644
--- a/puppet.te
+++ b/puppet.te
@@ -61,7 +61,7 @@ files_tmp_file(puppetmaster_tmp_t)
allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
allow puppet_t self:process { signal signull getsched setsched };
allow puppet_t self:fifo_file rw_fifo_file_perms;
-allow puppet_t self:netlink_route_socket nlmsg_write;
+allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
allow puppet_t self:tcp_socket { accept listen };
allow puppet_t self:udp_socket create_socket_perms;
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 08/12] Support netlink_route_socket creation for puppet
2012-12-31 22:52 ` [refpolicy] [PATCH 08/12] Support netlink_route_socket creation for puppet Sven Vermeulen
@ 2013-01-01 10:48 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:48 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
This was merged, thanks
> ---
> puppet.te | 2 +-
> 1 files changed, 1 insertions(+), 1 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index f627825..357a2f5 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -61,7 +61,7 @@ files_tmp_file(puppetmaster_tmp_t)
> allow puppet_t self:capability { chown fowner fsetid setuid setgid dac_override sys_admin sys_nice sys_tty_config };
> allow puppet_t self:process { signal signull getsched setsched };
> allow puppet_t self:fifo_file rw_fifo_file_perms;
> -allow puppet_t self:netlink_route_socket nlmsg_write;
> +allow puppet_t self:netlink_route_socket create_netlink_socket_perms;
> allow puppet_t self:tcp_socket { accept listen };
> allow puppet_t self:udp_socket create_socket_perms;
>
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 09/12] Puppet initscript creates /run/puppet
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (7 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 08/12] Support netlink_route_socket creation for puppet Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:49 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 10/12] Puppet runs statfs against selinuxfs Sven Vermeulen
` (2 subsequent siblings)
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
As the target context of /run/puppet needs to be puppet_var_run_t, introduce an
init_daemon_run_dir call to support this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index 357a2f5..f836236 100644
--- a/puppet.te
+++ b/puppet.te
@@ -37,6 +37,7 @@ files_type(puppet_var_lib_t)
type puppet_var_run_t;
files_pid_file(puppet_var_run_t)
+init_daemon_run_dir(puppet_var_run_t, "puppet")
type puppetca_t;
type puppetca_exec_t;
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 09/12] Puppet initscript creates /run/puppet
2012-12-31 22:52 ` [refpolicy] [PATCH 09/12] Puppet initscript creates /run/puppet Sven Vermeulen
@ 2013-01-01 10:49 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:49 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> As the target context of /run/puppet needs to be puppet_var_run_t, introduce an
> init_daemon_run_dir call to support this.
>
This was merged, thanks
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> puppet.te | 1 +
> 1 files changed, 1 insertions(+), 0 deletions(-)
>
> diff --git a/puppet.te b/puppet.te
> index 357a2f5..f836236 100644
> --- a/puppet.te
> +++ b/puppet.te
> @@ -37,6 +37,7 @@ files_type(puppet_var_lib_t)
>
> type puppet_var_run_t;
> files_pid_file(puppet_var_run_t)
> +init_daemon_run_dir(puppet_var_run_t, "puppet")
>
> type puppetca_t;
> type puppetca_exec_t;
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 10/12] Puppet runs statfs against selinuxfs
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (8 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 09/12] Puppet initscript creates /run/puppet Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2012-12-31 22:52 ` [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC support) Sven Vermeulen
2012-12-31 22:52 ` [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit) Sven Vermeulen
11 siblings, 0 replies; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
When dealing with SELinux information in puppet, puppet invokes binaries such as
getsebool and setsebool. These binaries run statfs against the selinuxfs mounts.
If the statfs returns failure, then these binaries return "SELinux is not
enabled" even though this is false.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
puppet.te | 1 +
1 files changed, 1 insertions(+), 0 deletions(-)
diff --git a/puppet.te b/puppet.te
index f836236..4e45b07 100644
--- a/puppet.te
+++ b/puppet.te
@@ -127,6 +127,7 @@ files_relabel_config_dirs(puppet_t)
files_relabel_config_files(puppet_t)
files_search_var_lib(puppet_t)
+selinux_get_fs_mount(puppet_t)
selinux_search_fs(puppet_t)
selinux_set_all_booleans(puppet_t)
selinux_set_generic_booleans(puppet_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC support)
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (9 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 10/12] Puppet runs statfs against selinuxfs Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:35 ` grift
2012-12-31 22:52 ` [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit) Sven Vermeulen
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
To support binding to a VNC server (as well as GDB remote support), allow
qemu_t to create a tcp_socket.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
qemu.te | 2 ++
1 files changed, 2 insertions(+), 0 deletions(-)
diff --git a/qemu.te b/qemu.te
index 2e824eb..672acfb 100644
--- a/qemu.te
+++ b/qemu.te
@@ -28,6 +28,8 @@ role qemu_roles types qemu_t;
#
tunable_policy(`qemu_full_network',`
+ allow qemu_t self:tcp_socket create_stream_socket_perms;
+
corenet_udp_sendrecv_generic_if(qemu_t)
corenet_udp_sendrecv_generic_node(qemu_t)
corenet_udp_sendrecv_all_ports(qemu_t)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC support)
2012-12-31 22:52 ` [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC support) Sven Vermeulen
@ 2013-01-01 10:35 ` grift
0 siblings, 0 replies; 26+ messages in thread
From: grift @ 2013-01-01 10:35 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> To support binding to a VNC server (as well as GDB remote support), allow
> qemu_t to create a tcp_socket.
I added instead:
-allow virt_domain self:tcp_socket { accept listen };
+allow virt_domain self:tcp_socket create_stream_socket_perms;
This was indeed an issue that was introduced when i removed
auth_use_nsswitch support
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> qemu.te | 2 ++
> 1 files changed, 2 insertions(+), 0 deletions(-)
>
> diff --git a/qemu.te b/qemu.te
> index 2e824eb..672acfb 100644
> --- a/qemu.te
> +++ b/qemu.te
> @@ -28,6 +28,8 @@ role qemu_roles types qemu_t;
> #
>
> tunable_policy(`qemu_full_network',`
> + allow qemu_t self:tcp_socket create_stream_socket_perms;
> +
> corenet_udp_sendrecv_generic_if(qemu_t)
> corenet_udp_sendrecv_generic_node(qemu_t)
> corenet_udp_sendrecv_all_ports(qemu_t)
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit)
2012-12-31 22:52 [refpolicy] [PATCH 00/12] Various contrib changes Sven Vermeulen
` (10 preceding siblings ...)
2012-12-31 22:52 ` [refpolicy] [PATCH 11/12] Allow qemu to create TCP sockets (VNC support) Sven Vermeulen
@ 2012-12-31 22:52 ` Sven Vermeulen
2013-01-01 10:33 ` grift
11 siblings, 1 reply; 26+ messages in thread
From: Sven Vermeulen @ 2012-12-31 22:52 UTC (permalink / raw)
To: refpolicy
In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
definition in HAL. So switching the definition in HAL to use the pm/ directory
itself and leave pm-utils for devicekit.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
---
hal.fc | 3 ++-
1 files changed, 2 insertions(+), 1 deletions(-)
diff --git a/hal.fc b/hal.fc
index 2899bad..a64b30e 100644
--- a/hal.fc
+++ b/hal.fc
@@ -22,6 +22,7 @@
/var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm -d gen_context(system_u:object_r:hald_var_run_t,s0)
+/var/run/pm/(.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
/var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
--
1.7.8.6
^ permalink raw reply related [flat|nested] 26+ messages in thread* [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit)
2012-12-31 22:52 ` [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit) Sven Vermeulen
@ 2013-01-01 10:33 ` grift
2013-01-01 10:39 ` Sven Vermeulen
0 siblings, 1 reply; 26+ messages in thread
From: grift @ 2013-01-01 10:33 UTC (permalink / raw)
To: refpolicy
On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
> definition in HAL. So switching the definition in HAL to use the pm/ directory
> itself and leave pm-utils for devicekit.
I do not understand what you are trying to achieve here
In devicekit.fc its pm-utils(/.*)? and in hald its pm(/.*)? so there
should'nt be any collision
> Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
> ---
> hal.fc | 3 ++-
> 1 files changed, 2 insertions(+), 1 deletions(-)
>
> diff --git a/hal.fc b/hal.fc
> index 2899bad..a64b30e 100644
> --- a/hal.fc
> +++ b/hal.fc
> @@ -22,6 +22,7 @@
>
> /var/run/hald(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/haldaemon\.pid -- gen_context(system_u:object_r:hald_var_run_t,s0)
> -/var/run/pm(/.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> +/var/run/pm -d gen_context(system_u:object_r:hald_var_run_t,s0)
> +/var/run/pm/(.*)? gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/synce.* gen_context(system_u:object_r:hald_var_run_t,s0)
> /var/run/vbe.* -- gen_context(system_u:object_r:hald_var_run_t,s0)
^ permalink raw reply [flat|nested] 26+ messages in thread
* [refpolicy] [PATCH 12/12] Fix specification collision (hal and devicekit)
2013-01-01 10:33 ` grift
@ 2013-01-01 10:39 ` Sven Vermeulen
0 siblings, 0 replies; 26+ messages in thread
From: Sven Vermeulen @ 2013-01-01 10:39 UTC (permalink / raw)
To: refpolicy
On Tue, Jan 01, 2013 at 11:33:31AM +0100, grift wrote:
> On Mon, 2012-12-31 at 23:52 +0100, Sven Vermeulen wrote:
> > In the devicekit contexts, pm-utils(/.*)? is colliding with the pm(/.*)?
> > definition in HAL. So switching the definition in HAL to use the pm/ directory
> > itself and leave pm-utils for devicekit.
>
> I do not understand what you are trying to achieve here
>
> In devicekit.fc its pm-utils(/.*)? and in hald its pm(/.*)? so there
> should'nt be any collision
Hmm, you're right. Weird, I could've sworn we had a collision on a test
system here, but I didn't register the problem much further in our
bugtracking.
I'll revert it locally as well.
Wkr,
Sven Vermeulen
^ permalink raw reply [flat|nested] 26+ messages in thread