[PATCH] last misc stuff - Russell Coker

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] last misc stuff
Date: Fri, 4 Jan 2019 18:35:03 +1100	[thread overview]
Message-ID: <20190104073503.GC11256@aaa.coker.com.au> (raw)

More tiny patches.  Note that this and the other 2 patches I just sent are not
dependent on each other, please apply any that you like.

Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
+++ refpolicy-2.20180701/policy/modules/admin/apt.fc
@@ -1,9 +1,12 @@
 /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
 
-ifndef(`distro_redhat',`
+/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
-/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
+/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
+
+ifndef(`distro_redhat',`
+/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
 /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)
Index: refpolicy-2.20180701/policy/modules/admin/backup.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
+++ refpolicy-2.20180701/policy/modules/admin/backup.te
@@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
 
 logging_send_syslog_msg(backup_t)
 
+miscfiles_read_localization(backup_t)
+
 sysnet_read_config(backup_t)
 
 userdom_use_user_terminals(backup_t)
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
@@ -317,6 +317,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	init_dbus_chat(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
 fs_getattr_xattr_fs(logrotate_t)
 fs_list_inotifyfs(logrotate_t)
 fs_getattr_tmpfs(logrotate_t)
+# killall reads nsfs files
+fs_read_nsfs_files(logrotate_t)
 
 mls_file_read_all_levels(logrotate_t)
 mls_file_write_all_levels(logrotate_t)
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
 #
 
 allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
-dontaudit groupadd_t self:capability { fsetid sys_tty_config };
+dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
 allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow groupadd_t self:fd use;
 allow groupadd_t self:fifo_file rw_fifo_file_perms;
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
 userdom_dontaudit_search_user_home_dirs(groupadd_t)
 
 optional_policy(`
+	dbus_system_bus_client(groupadd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(groupadd_t)
 	dpkg_rw_pipes(groupadd_t)
 ')
@@ -269,6 +273,10 @@ optional_policy(`
 	rpm_rw_pipes(groupadd_t)
 ')
 
+optional_policy(`
+	unconfined_use_fds(groupadd_t)
+')
+
 ########################################
 #
 # Passwd local policy
@@ -446,7 +454,7 @@ optional_policy(`
 #
 
 allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
-dontaudit useradd_t self:capability sys_tty_config;
+dontaudit useradd_t self:capability { net_admin sys_tty_config };
 allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
 allow useradd_t self:fd use;
 allow useradd_t self:fifo_file rw_fifo_file_perms;
@@ -538,6 +546,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dbus_system_bus_client(useradd_t)
+')
+
+optional_policy(`
 	dpkg_use_fds(useradd_t)
 	dpkg_rw_pipes(useradd_t)
 ')
@@ -560,3 +572,7 @@ optional_policy(`
 	rpm_use_fds(useradd_t)
 	rpm_rw_pipes(useradd_t)
 ')
+
+optional_policy(`
+	unconfined_use_fds(useradd_t)
+')
Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
+++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
@@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
 
 userdom_use_user_terminals(syncthing_t)
 
-optional_policy(`
-	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
-	networkmanager_read_pid_files(syncthing_t)
-')
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
@@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
@@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
 /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
+/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
 /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -34,7 +34,7 @@ role system_r types sulogin_t;
 
 allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
 dontaudit local_login_t self:capability net_admin;
-allow local_login_t self:process { setexec setrlimit setsched };
+allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
 allow local_login_t self:fd use;
 allow local_login_t self:fifo_file rw_fifo_file_perms;
 allow local_login_t self:sock_file read_sock_file_perms;
@@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
 
 miscfiles_read_localization(local_login_t)
 
+userdom_manage_all_users_keys(local_login_t)
 userdom_spec_domtrans_all_users(local_login_t)
 userdom_signal_all_users(local_login_t)
 userdom_search_user_home_content(local_login_t)
Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
@@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
 files_dontaudit_read_all_symlinks(setfiles_t)
 
 fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_cgroup(setfiles_t)
 fs_getattr_nfs(setfiles_t)
 fs_getattr_pstore_dirs(setfiles_t)
 fs_getattr_pstorefs(setfiles_t)
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
@@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
 allow dhcpc_t dhcp_state_t:file read_file_perms;
 manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
 filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
+allow dhcpc_t dhcpc_state_t:file map;
 
 # create pid file
 manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
@@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
 
 logging_send_syslog_msg(ifconfig_t)
 
+# dhclient reads /etc/ssl
+miscfiles_read_generic_certs(dhcpc_t)
 miscfiles_read_localization(ifconfig_t)
 
 seutil_use_runinit_fds(ifconfig_t)
Index: refpolicy-2.20180701/policy/modules/system/udev.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/udev.te
+++ refpolicy-2.20180701/policy/modules/system/udev.te
@@ -306,10 +306,6 @@ optional_policy(`
 ')
 
 optional_policy(`
-	lvm_domtrans(udev_t)
-')
-
-optional_policy(`
 	fstools_domtrans(udev_t)
 ')
 
@@ -328,6 +324,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	iptables_domtrans(udev_t)
+')
+
+optional_policy(`
 	lvm_domtrans(udev_t)
 ')

next             reply	other threads:[~2019-01-04  7:35 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2019-01-04  7:35 Russell Coker [this message]
2019-01-05 19:04 ` [PATCH] last misc stuff Chris PeBenito
2019-01-06  2:22   ` Russell Coker
2019-01-06  7:38     ` Dominick Grift
2019-01-06 18:22       ` Chris PeBenito

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20190104073503.GC11256@aaa.coker.com.au \
    --to=russell@coker.com.au \
    --cc=selinux-refpolicy@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.