From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] some little stuff
Date: Fri, 11 Jan 2019 21:30:43 +1100 [thread overview]
Message-ID: <20190111103043.GA22910@xev> (raw)
Tiny and I think they are all obvious.
Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
@@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t
mount_rw_runtime_files(bootloader_t)
+selinux_getattr_fs(bootloader_t)
seutil_read_bin_policy(bootloader_t)
+seutil_read_file_contexts(bootloader_t)
seutil_read_loadpolicy(bootloader_t)
seutil_dontaudit_search_config(bootloader_t)
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
# Local policy
#
-allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# sys_ptrace is for systemctl
+allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };
# systemctl asks for net_admin
dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
+++ refpolicy-2.20180701/policy/modules/services/dhcp.te
@@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)
logging_send_syslog_msg(dhcpd_t)
+miscfiles_read_generic_certs(dhcpd_t)
miscfiles_read_localization(dhcpd_t)
sysnet_read_dhcp_config(dhcpd_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -333,6 +333,7 @@ optional_policy(`
optional_policy(`
xserver_domtrans_xauth(sshd_t)
+ xserver_link_xdm_keys(sshd_t)
')
########################################
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`
########################################
## <summary>
+## Manage keys for xdm.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xserver_link_xdm_keys',`
+ gen_require(`
+ type xdm_t;
+ ')
+
+ allow $1 xdm_t:key link;
+')
+
+########################################
+## <summary>
## Read and write the mesa shader cache.
## </summary>
## <param name="domain">
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
+# for writing to ~/.local/share/sddm/xorg-session.log
+xdg_manage_data(xauth_t)
+
domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
allow xserver_t xauth_home_t:file read_file_perms;
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -337,6 +337,10 @@ optional_policy(`
networkmanager_dbus_chat(systemd_hostnamed_t)
')
+optional_policy(`
+ unconfined_dbus_send(systemd_hostnamed_t)
+')
+
#########################################
#
# hw local policy
@@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
dev_rw_sysfs(systemd_logind_t)
dev_setattr_dri_dev(systemd_logind_t)
dev_setattr_generic_usb_dev(systemd_logind_t)
+dev_setattr_input_dev(systemd_logind_t)
dev_setattr_kvm_dev(systemd_logind_t)
dev_setattr_sound_dev(systemd_logind_t)
dev_setattr_video_dev(systemd_logind_t)
@@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
+allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
allow systemd_nspawn_t systemd_journal_t:dir search;
Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
@@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
userdom_dontaudit_search_user_home_dirs(groupadd_t)
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(groupadd_t)
')
@@ -546,6 +550,10 @@ optional_policy(`
')
optional_policy(`
+ apt_use_fds(groupadd_t)
+')
+
+optional_policy(`
dbus_system_bus_client(useradd_t)
')
next reply other threads:[~2019-01-11 10:30 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-11 10:30 Russell Coker [this message]
2019-01-12 19:28 ` [PATCH] some little stuff Chris PeBenito
2019-01-15 7:47 ` Russell Coker
2019-01-15 8:36 ` Dominick Grift
2019-01-16 23:04 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190111103043.GA22910@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.