From: Russell Coker <russell@coker.com.au>
To: "selinux-refpolicy@vger.kernel.org" <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] tiny stuff for today
Date: Tue, 22 Jan 2019 20:00:28 +1100 [thread overview]
Message-ID: <20190122090028.GA6927@xev> (raw)
Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.
Lots of little stuff for system_cronjob_t.
Other minor trivial changes that should be obvious.
Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
')
+
+########################################
+## <summary>
+## Transition to dpkg_t when NNP has been set
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_nnp_transition',`
+ gen_require(`
+ type dpkg_t;
+ ')
+
+ allow $1 dpkg_t:process2 nnp_transition;
+')
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -456,8 +456,8 @@ optional_policy(`
# System local policy
#
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
-allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
+allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
allow system_cronjob_t self:fd use;
allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
allow system_cronjob_t self:passwd rootok;
@@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
kernel_getattr_message_if(system_cronjob_t)
kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_irq_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
kernel_read_system_state(system_cronjob_t)
@@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
domain_dontaudit_read_all_domains_state(system_cronjob_t)
files_exec_etc_files(system_cronjob_t)
+files_exec_usr_files(system_cronjob_t)
files_read_etc_runtime_files(system_cronjob_t)
files_list_all(system_cronjob_t)
files_getattr_all_dirs(system_cronjob_t)
@@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
libs_exec_lib_files(system_cronjob_t)
libs_exec_ld_so(system_cronjob_t)
-logging_read_generic_logs(system_cronjob_t)
+logging_manage_generic_logs(system_cronjob_t)
logging_send_audit_msgs(system_cronjob_t)
logging_send_syslog_msg(system_cronjob_t)
@@ -675,6 +677,9 @@ optional_policy(`
optional_policy(`
userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+
+ # for gpg-connect-agent to access /run/user/0
+ userdom_manage_user_runtime_dirs(system_cronjob_t)
')
########################################
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
kernel_read_crypto_sysctls(NetworkManager_t)
kernel_read_system_state(NetworkManager_t)
@@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
dev_getattr_all_chr_files(NetworkManager_t)
dev_rw_wireless(NetworkManager_t)
+# for access(2)
+dev_write_sysfs_dirs(NetworkManager_t)
+
domain_use_interactive_fds(NetworkManager_t)
domain_read_all_domains_state(NetworkManager_t)
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -147,6 +147,7 @@ type xauth_t;
type xauth_exec_t;
typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+userdom_manage_user_tmp_dirs(xauth_t)
userdom_user_application_domain(xauth_t, xauth_exec_t)
type xauth_home_t;
@@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
userdom_read_user_tmp_files(xauth_t)
xserver_rw_xdm_tmp_files(xauth_t)
+xserver_stream_connect(xauth_t)
tunable_policy(`use_nfs_home_dirs',`
fs_manage_nfs_files(xauth_t)
Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180701/policy/modules/system/unconfined.te
@@ -89,6 +89,7 @@ optional_policy(`
')
optional_policy(`
+ dpkg_nnp_transition(unconfined_t)
dpkg_run(unconfined_t, unconfined_r)
')
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
fs_getattr_xattr_fs(kmod_t)
fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
+fs_search_tracefs(kmod_t)
init_rw_initctl(kmod_t)
init_use_fds(kmod_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
fs_manage_tmpfs_chr_files(systemd_nspawn_t)
fs_mount_tmpfs(systemd_nspawn_t)
fs_remount_tmpfs(systemd_nspawn_t)
-fs_search_cgroup_dirs(systemd_nspawn_t)
+fs_remount_xattr_fs(systemd_nspawn_t)
+fs_read_cgroup_files(systemd_nspawn_t)
term_getattr_generic_ptys(systemd_nspawn_t)
term_getattr_pty_fs(systemd_nspawn_t)
next reply other threads:[~2019-01-22 9:00 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2019-01-22 9:00 Russell Coker [this message]
2019-01-22 9:17 ` [PATCH] tiny stuff for today Dominick Grift
2019-01-22 20:08 ` Russell Coker
2019-01-23 23:27 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20190122090028.GA6927@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.