From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-10.7 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_PATCH, MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 2F75DC433E0 for ; Wed, 27 Jan 2021 16:38:02 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id CA40260187 for ; Wed, 27 Jan 2021 16:38:01 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S235202AbhA0QiA (ORCPT ); Wed, 27 Jan 2021 11:38:00 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:43654 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231635AbhA0Qg2 (ORCPT ); Wed, 27 Jan 2021 11:36:28 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 389D1C0613ED for ; Wed, 27 Jan 2021 08:35:42 -0800 (PST) Received: from liv.coker.com.au (unknown [103.75.204.226]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits) server-digest SHA256) (No client certificate requested) (Authenticated sender: russell@coker.com.au) by smtp.sws.net.au (Postfix) with ESMTPSA id 98EC1139D0; Thu, 28 Jan 2021 03:35:38 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611765339; bh=cHFgWiNN47Q/aHyM1DYV8BpPtwHaDAUIL+6y+D644Rg=; l=1638; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=K3x5QOzemZTmEaVSgL+P97zvtMAPgC7d4aqGZ7auvk6JmPyusga1IPoMn0c8qJyma dtN6FHLerObx+BiMvU/3Iynz+s5nBFn+3YvjHZ/axUVcp46uWwHh7PG7jt6q8SIRwR lwOs7JdpxCEtuP7lkpUeXC9nI+FVOP2xJ8sT+eoI= From: Russell Coker To: Dominick Grift Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] misc network patches with Dominick's changes Date: Thu, 28 Jan 2021 03:35:33 +1100 Message-ID: <3290098.uLzDavUzRi@liv> In-Reply-To: References: MIME-Version: 1.0 Content-Transfer-Encoding: 7Bit Content-Type: text/plain; charset="us-ascii" Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On Thursday, 28 January 2021 12:29:16 AM AEDT Dominick Grift wrote: > > Index: refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > > =================================================================== > > --- refpolicy-2.20210126.orig/policy/modules/system/sysnetwork.fc > > +++ refpolicy-2.20210126/policy/modules/system/sysnetwork.fc > > @@ -27,6 +27,7 @@ ifdef(`distro_debian',` > > > > /etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0) > > > > /etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0) > > > > +/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0) > > minor but bet to escape the period: /etc/tor/torsocks\.conf OK fixed that. > not sure why you associate this with net_conf_t. I probably would have > labeled all of /etc/tor tor_conf_t (for confined tor administration etc) Because other programs that want to use tor look at it for information on how to connect to tor via socks. > > Index: refpolicy-2.20210126/policy/modules/roles/unprivuser.te > > =================================================================== > > --- refpolicy-2.20210126.orig/policy/modules/roles/unprivuser.te > > +++ refpolicy-2.20210126/policy/modules/roles/unprivuser.te > > @@ -25,6 +25,10 @@ optional_policy(` > > > > ') > > > > optional_policy(` > > > > + netutils_domtrans_ping(user_t) > > +') > > this is already allowed conditionally as said before. you should be able > to remove this. OK, removed that. I'll send another patch now. -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/