Re: [PATCH] misc services patches

[Russell Coker <russell@coker.com.au>]

On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
> >  /usr/sbin/suexec					--	
gen_context(system_u:object_r:httpd_suexec_exec_
> >  t,s0)
> >  /usr/sbin/wigwam					--	
gen_context(system_u:object_r:httpd_exec_t,s0)> 
> > +/usr/sbin/php7..-fpm					--	
gen_context(system_u:object_r:httpd_exec_t,s0
> > )
> 
> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"

OK, I'll change that.

> > +interface(`apache_delete_squirrelmail_spool',`
> > +	gen_require(`
> > +		type squirrelmail_spool_t;
> > +	')
> > +
> > +	allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> > +	allow $1 squirrelmail_spool_t:file delete_file_perms;
> 
> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)

OK.
 
> >  tunable_policy(`httpd_enable_homedirs',`
> > 
> > -	userdom_search_user_home_dirs(httpd_t)
> > +	userdom_list_user_home_content(httpd_t)
> 
> this is not how it was designed. If you want that functionality then set
> httpd_read_user_content boolean to true instead

OK, I'll delete that patch and do it a better way next time I see a case for 
it.

> >  allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> >  allow cupsd_t self:fifo_file rw_fifo_file_perms;
> >  allow cupsd_t self:unix_stream_socket { accept connectto listen };
> >  allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> > 
> > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> > 
> >  getattr read setopt };
> 
> create_socket_perms, use the permission sets and patterns where appropriate

ok

> > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> > 
> >  allow l2tpd_t self:tcp_socket { accept listen };
> >  allow l2tpd_t self:unix_dgram_socket sendto;
> >  allow l2tpd_t self:unix_stream_socket { accept listen };
> > 
> > +allow l2tpd_t self:pppox_socket create;
> 
> create_socket_perms probably eventually

Maybe, but for the moment I think it's best to leave them like that.  I had it 
working fully only needing those accesses.

> > @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> > 
> >  		type mysqld_t;
> >  	
> >  	')
> > 
> > -	allow $1 mysqld_t:process signal;
> > +	allow $1 mysqld_t:process { signull signal };
> 
> create a new mysql_signull()
> 
> by generalizing interfaces and putting them out of context youre
> shutting down doors for fine grained access control.

OK, I'll drop that patch and add a mysql_signull() next time I see the need 
for it (probably a week or two).

> >  optional_policy(`
> > 
> > +	dbus_send_system_bus(smbd_t)
> > +	dbus_system_bus_client(smbd_t)
> 
> dbus_send_system_bus(smbd_t) is redundant (already implied with
> dbus_system_bus_client(smbd_t)

ok

> > Index: refpolicy-2.20210120/policy/modules/services/squid.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> > +++ refpolicy-2.20210120/policy/modules/services/squid.te
> > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> > 
> >  allow squid_t self:unix_dgram_socket sendto;
> >  allow squid_t self:unix_stream_socket { accept connectto listen };
> >  allow squid_t self:tcp_socket { accept listen };
> > 
> > +allow squid_t self:netlink_netfilter_socket
> > all_netlink_netfilter_socket_perms;
> 
> probably just create_socket_perms?

OK.

> > Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> > +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> > @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> > 
> >  	init_dbus_chat(sshd_t)
> >  	systemd_dbus_chat_logind(sshd_t)
> >  	init_rw_stream_sockets(sshd_t)
> > 
> > +	systemd_read_logind_sessions_files(sshd_t)
> 
> This should probably be addressed on the lower authlogin level instead

auth_login_pgm_domain()?

In another patch I have systemd_connect_machined(sshd_t) which I guess should 
go in the same one too.


Thanks for all the suggestions.  I'll send an updated version shortly.

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/