* [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface
@ 2015-08-24 15:10 Jason Zaman
2015-08-24 15:10 ` [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets Jason Zaman
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Jason Zaman @ 2015-08-24 15:10 UTC (permalink / raw)
To: refpolicy
Admining rsync does not require running it in the rsync_t domain and
this causes problems for backups and the like which would originally run
in the user's domain now run in rsync_t.
---
rsync.if | 2 --
1 file changed, 2 deletions(-)
diff --git a/rsync.if b/rsync.if
index e916de8..c7b19aa 100644
--- a/rsync.if
+++ b/rsync.if
@@ -276,6 +276,4 @@ interface(`rsync_admin',`
files_search_pids($1)
admin_pattern($1, rsync_var_run_t)
-
- rsync_run($1, $2)
')
--
2.4.6
^ permalink raw reply related [flat|nested] 6+ messages in thread* [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets 2015-08-24 15:10 [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Jason Zaman @ 2015-08-24 15:10 ` Jason Zaman 2015-08-25 10:22 ` Dominick Grift 2015-08-24 15:10 ` [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes Jason Zaman 2015-08-25 10:17 ` [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Dominick Grift 2 siblings, 1 reply; 6+ messages in thread From: Jason Zaman @ 2015-08-24 15:10 UTC (permalink / raw) To: refpolicy git_session_t already has these permissions but they are missing on git_system_t. Instead add the perms on the git_daemon attribute which covers both system and session daemons. --- git.te | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/git.te b/git.te index 1ca8c24..517d513 100644 --- a/git.te +++ b/git.te @@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t) # Session policy # -allow git_session_t self:tcp_socket { accept listen }; - userdom_search_user_home_dirs(git_session_t) corenet_all_recvfrom_netlabel(git_session_t) @@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',` # allow git_daemon self:fifo_file rw_fifo_file_perms; +allow git_daemon self:tcp_socket { accept listen }; list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t) read_files_pattern(git_daemon, git_user_content_t, git_user_content_t) -- 2.4.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets 2015-08-24 15:10 ` [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets Jason Zaman @ 2015-08-25 10:22 ` Dominick Grift 0 siblings, 0 replies; 6+ messages in thread From: Dominick Grift @ 2015-08-25 10:22 UTC (permalink / raw) To: refpolicy On Mon, Aug 24, 2015 at 11:10:08PM +0800, Jason Zaman wrote: > git_session_t already has these permissions but they are missing on > git_system_t. Instead add the perms on the git_daemon attribute which > covers both system and session daemons. By default git-daemon as a system service is configured with xinetd. The way xinetd works is that it basiscally handles networking on git daemons behalf. I thought i did add support to run git-daemon as a sysv init system service, and i did but this part was missing indeed. Thanks, merged. > --- > git.te | 3 +-- > 1 file changed, 1 insertion(+), 2 deletions(-) > > diff --git a/git.te b/git.te > index 1ca8c24..517d513 100644 > --- a/git.te > +++ b/git.te > @@ -103,8 +103,6 @@ userdom_user_home_content(git_user_content_t) > # Session policy > # > > -allow git_session_t self:tcp_socket { accept listen }; > - > userdom_search_user_home_dirs(git_session_t) > > corenet_all_recvfrom_netlabel(git_session_t) > @@ -266,6 +264,7 @@ tunable_policy(`git_cgi_use_nfs',` > # > > allow git_daemon self:fifo_file rw_fifo_file_perms; > +allow git_daemon self:tcp_socket { accept listen }; > > list_dirs_pattern(git_daemon, git_user_content_t, git_user_content_t) > read_files_pattern(git_daemon, git_user_content_t, git_user_content_t) > -- > 2.4.6 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/c270b7c8/attachment.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes 2015-08-24 15:10 [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Jason Zaman 2015-08-24 15:10 ` [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets Jason Zaman @ 2015-08-24 15:10 ` Jason Zaman 2015-08-25 10:27 ` Dominick Grift 2015-08-25 10:17 ` [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Dominick Grift 2 siblings, 1 reply; 6+ messages in thread From: Jason Zaman @ 2015-08-24 15:10 UTC (permalink / raw) To: refpolicy --- hadoop.if | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/hadoop.if b/hadoop.if index a0a819f..5908119 100644 --- a/hadoop.if +++ b/hadoop.if @@ -426,7 +426,6 @@ interface(`hadoop_admin',` attribute hadoop_domain; attribute hadoop_initrc_domain; - attribute hadoop_init_script_file; attribute hadoop_pid_file; attribute hadoop_lock_file; attribute hadoop_log_file; @@ -436,12 +435,22 @@ interface(`hadoop_admin',` type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; type zookeeper_server_var_t; + + type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t; + type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t; + type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t; + type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t; + type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t; ') allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) - init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file) + init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t) + init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t) + init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t) files_search_etc($1) admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) -- 2.4.6 ^ permalink raw reply related [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes 2015-08-24 15:10 ` [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes Jason Zaman @ 2015-08-25 10:27 ` Dominick Grift 0 siblings, 0 replies; 6+ messages in thread From: Dominick Grift @ 2015-08-25 10:27 UTC (permalink / raw) To: refpolicy On Mon, Aug 24, 2015 at 11:10:09PM +0800, Jason Zaman wrote: > --- > hadoop.if | 13 +++++++++++-- > 1 file changed, 11 insertions(+), 2 deletions(-) Yes that is an unfortunate side effect. CIL can deal with this. Merged, thanks > > diff --git a/hadoop.if b/hadoop.if > index a0a819f..5908119 100644 > --- a/hadoop.if > +++ b/hadoop.if > @@ -426,7 +426,6 @@ interface(`hadoop_admin',` > attribute hadoop_domain; > attribute hadoop_initrc_domain; > > - attribute hadoop_init_script_file; > attribute hadoop_pid_file; > attribute hadoop_lock_file; > attribute hadoop_log_file; > @@ -436,12 +435,22 @@ interface(`hadoop_admin',` > type hadoop_t, hadoop_etc_t, hadoop_hsperfdata_t; > type zookeeper_t, zookeeper_etc_t, zookeeper_server_t; > type zookeeper_server_var_t; > + > + type hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t; > + type hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t; > + type hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t; > + type hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t; > + type hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t; > ') > > allow $1 { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }:process { ptrace signal_perms }; > ps_process_pattern($1, { hadoop_domain hadoop_initrc_domain hadoop_t zookeeper_t zookeeper_server_t }) > > - init_startstop_service($1, $2, hadoop_domain, hadoop_init_script_file) > + init_startstop_service($1, $2, hadoop_datanode_initrc_t, hadoop_datanode_initrc_exec_t) > + init_startstop_service($1, $2, hadoop_jobtracker_initrc_t, hadoop_jobtracker_initrc_exec_t) > + init_startstop_service($1, $2, hadoop_namenode_initrc_t, hadoop_namenode_initrc_exec_t) > + init_startstop_service($1, $2, hadoop_secondarynamenode_initrc_t, hadoop_secondarynamenode_initrc_exec_t) > + init_startstop_service($1, $2, hadoop_tasktracker_initrc_t, hadoop_tasktracker_initrc_exec_t) > > files_search_etc($1) > admin_pattern($1, { hadoop_etc_t zookeeper_etc_t }) > -- > 2.4.6 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/e307f8c4/attachment.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
* [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface 2015-08-24 15:10 [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Jason Zaman 2015-08-24 15:10 ` [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets Jason Zaman 2015-08-24 15:10 ` [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes Jason Zaman @ 2015-08-25 10:17 ` Dominick Grift 2 siblings, 0 replies; 6+ messages in thread From: Dominick Grift @ 2015-08-25 10:17 UTC (permalink / raw) To: refpolicy On Mon, Aug 24, 2015 at 11:10:07PM +0800, Jason Zaman wrote: > Admining rsync does not require running it in the rsync_t domain and > this causes problems for backups and the like which would originally run > in the user's domain now run in rsync_t. Thanks, merged > --- > rsync.if | 2 -- > 1 file changed, 2 deletions(-) > > diff --git a/rsync.if b/rsync.if > index e916de8..c7b19aa 100644 > --- a/rsync.if > +++ b/rsync.if > @@ -276,6 +276,4 @@ interface(`rsync_admin',` > > files_search_pids($1) > admin_pattern($1, rsync_var_run_t) > - > - rsync_run($1, $2) > ') > -- > 2.4.6 > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -- 02DFF788 4D30 903A 1CF3 B756 FB48 1514 3148 83A2 02DF F788 http://keys.gnupg.net/pks/lookup?op=vindex&search=0x314883A202DFF788 Dominick Grift -------------- next part -------------- A non-text attachment was scrubbed... Name: not available Type: application/pgp-signature Size: 648 bytes Desc: not available Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20150825/0dcddf4e/attachment.bin ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2015-08-25 10:27 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2015-08-24 15:10 [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Jason Zaman 2015-08-24 15:10 ` [refpolicy] [PATCH 2/3] git: allow git_system_t to listen on tcp_sockets Jason Zaman 2015-08-25 10:22 ` Dominick Grift 2015-08-24 15:10 ` [refpolicy] [PATCH 3/3] hadoop: init_startstop_service() can not take attributes Jason Zaman 2015-08-25 10:27 ` Dominick Grift 2015-08-25 10:17 ` [refpolicy] [PATCH 1/3] rsync: remove rsync_run from admin interface Dominick Grift
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.