* [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:47 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients Dominick Grift
` (37 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/udev.fc | 1 -
1 file changed, 1 deletion(-)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index f41857e..374ac00 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -30,7 +30,6 @@ ifdef(`distro_redhat',`
/usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
-/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it
2013-11-09 9:44 ` [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it Dominick Grift
@ 2013-12-03 13:47 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:47 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/udev.fc | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index f41857e..374ac00 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -30,7 +30,6 @@ ifdef(`distro_redhat',`
>
> /usr/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
>
> -/var/run/PackageKit/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 18:29 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon Dominick Grift
` (36 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/userdomain.if | 19 +++++++++++++++++++
1 file changed, 19 insertions(+)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 9dc60c6..06d8db1 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
########################################
## <summary>
+## Delete user tmpfs files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_delete_user_tmpfs_files',`
+ gen_require(`
+ type user_tmpfs_t;
+ ')
+
+ delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
+ fs_search_tmpfs($1)
+')
+
+########################################
+## <summary>
## Read user tmpfs files.
## </summary>
## <param name="domain">
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients
2013-11-09 9:44 ` [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients Dominick Grift
@ 2013-12-03 18:29 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 18:29 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/userdomain.if | 19 +++++++++++++++++++
> 1 file changed, 19 insertions(+)
>
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 9dc60c6..06d8db1 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -2663,6 +2663,25 @@ interface(`userdom_tmp_filetrans_user_tmp',`
>
> ########################################
> ## <summary>
> +## Delete user tmpfs files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`userdom_delete_user_tmpfs_files',`
> + gen_require(`
> + type user_tmpfs_t;
> + ')
> +
> + delete_files_pattern($1, user_tmpfs_t, user_tmpfs_t)
> + fs_search_tmpfs($1)
> +')
> +
> +########################################
> +## <summary>
> ## Read user tmpfs files.
> ## </summary>
> ## <param name="domain">
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 02/39] udev: this fc spec does not make sense, as there is no corresponding file type transition for it Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 03/39] userdomain: add userdom_delete_user_tmpfs_files() for pulseaudio clients Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:47 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian Dominick Grift
` (35 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 39f185f..183e45d 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -184,6 +184,7 @@ ifdef(`distro_debian',`
avahi_create_pid_dirs(udev_t)
avahi_initrc_domtrans(udev_t)
avahi_manage_pid_files(udev_t)
+ avahi_setattr_pid_dirs(udev_t)
avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
')
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon
2013-11-09 9:44 ` [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon Dominick Grift
@ 2013-12-03 13:47 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:47 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 39f185f..183e45d 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -184,6 +184,7 @@ ifdef(`distro_debian',`
> avahi_create_pid_dirs(udev_t)
> avahi_initrc_domtrans(udev_t)
> avahi_manage_pid_files(udev_t)
> + avahi_setattr_pid_dirs(udev_t)
> avahi_filetrans_pid(udev_t, dir, "avahi-daemon")
> ')
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (2 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 04/39] udev: the avahi dns check script run by udev in Debian chmods /run/avahi-daemon Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc Dominick Grift
` (34 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/authlogin.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
index 09b791d..367e920 100644
--- a/policy/modules/system/authlogin.te
+++ b/policy/modules/system/authlogin.te
@@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)
dev_read_rand(chkpwd_t)
dev_read_urand(chkpwd_t)
+dev_search_sysfs(chkpwd_t)
files_read_etc_files(chkpwd_t)
# for nscd
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian
2013-11-09 9:44 ` [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian Dominick Grift
@ 2013-12-03 13:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:48 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/authlogin.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/authlogin.te b/policy/modules/system/authlogin.te
> index 09b791d..367e920 100644
> --- a/policy/modules/system/authlogin.te
> +++ b/policy/modules/system/authlogin.te
> @@ -105,6 +105,7 @@ domain_dontaudit_use_interactive_fds(chkpwd_t)
>
> dev_read_rand(chkpwd_t)
> dev_read_urand(chkpwd_t)
> +dev_search_sysfs(chkpwd_t)
>
> files_read_etc_files(chkpwd_t)
> # for nscd
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (3 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 05/39] authlogin: unix_chkpwd traverses / on sysfs device on Debian Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian Dominick Grift
` (33 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/setrans.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 1447687..8e1e27d 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
kernel_read_kernel_sysctls(setrans_t)
-kernel_read_proc_symlinks(setrans_t)
+kernel_read_system_state(setrans_t)
# allow performing getpidcon() on all processes
domain_read_all_domains_state(setrans_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc
2013-11-09 9:44 ` [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc Dominick Grift
@ 2013-12-03 13:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:48 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/setrans.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 1447687..8e1e27d 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -50,7 +50,7 @@ manage_sock_files_pattern(setrans_t, setrans_var_run_t, setrans_var_run_t)
> files_pid_filetrans(setrans_t, setrans_var_run_t, { file dir })
>
> kernel_read_kernel_sysctls(setrans_t)
> -kernel_read_proc_symlinks(setrans_t)
> +kernel_read_system_state(setrans_t)
>
> # allow performing getpidcon() on all processes
> domain_read_all_domains_state(setrans_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (4 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 06/39] setrans: mcstransd reads filesystems file in /proc Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up " Dominick Grift
` (32 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/setrans.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 8e1e27d..48aefa2 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
mls_process_read_up(setrans_t)
mls_socket_read_all_levels(setrans_t)
+selinux_getattr_fs(setrans_t)
selinux_compute_access_vector(setrans_t)
term_dontaudit_use_generic_ptys(setrans_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian
2013-11-09 9:44 ` [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian Dominick Grift
@ 2013-12-03 18:30 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 18:30 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/setrans.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 8e1e27d..48aefa2 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -67,6 +67,7 @@ mls_socket_write_all_levels(setrans_t)
> mls_process_read_up(setrans_t)
> mls_socket_read_all_levels(setrans_t)
>
> +selinux_getattr_fs(setrans_t)
> selinux_compute_access_vector(setrans_t)
>
> term_dontaudit_use_generic_ptys(setrans_t)
Instead of merging this, I replaced the seutil_read_config() with seutil_libselinux_linked(). It has the above access that you wanted to add.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up in Debian
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (5 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 07/39] setrans: needs to be able to get attributes of selinuxfs, else fails to start in Debian Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian Dominick Grift
` (31 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/fstools.te | 5 +++++
policy/modules/system/hostname.te | 4 ++++
policy/modules/system/sysnetwork.te | 4 ++++
3 files changed, 13 insertions(+)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index 3f48d30..b40e06f 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
userdom_use_user_terminals(fsadm_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(fsadm_t)
+')
+
+
ifdef(`distro_redhat',`
optional_policy(`
unconfined_domain(fsadm_t)
diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
index 24a7889..d5d4a1c 100644
--- a/policy/modules/system/hostname.te
+++ b/policy/modules/system/hostname.te
@@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
sysnet_read_config(hostname_t)
sysnet_dns_name_resolve(hostname_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(hostname_t)
+')
+
optional_policy(`
nis_use_ypbind(hostname_t)
')
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a392fc4..999e142 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
userdom_use_user_terminals(ifconfig_t)
userdom_use_all_users_fds(ifconfig_t)
+ifdef(`distro_debian',`
+ term_dontaudit_use_unallocated_ttys(ifconfig_t)
+')
+
ifdef(`distro_ubuntu',`
optional_policy(`
unconfined_domain(ifconfig_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up in Debian
2013-11-09 9:44 ` [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up " Dominick Grift
@ 2013-12-03 18:30 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 18:30 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
Merged, with a whitespace fix.
> ---
> policy/modules/system/fstools.te | 5 +++++
> policy/modules/system/hostname.te | 4 ++++
> policy/modules/system/sysnetwork.te | 4 ++++
> 3 files changed, 13 insertions(+)
>
> diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
> index 3f48d30..b40e06f 100644
> --- a/policy/modules/system/fstools.te
> +++ b/policy/modules/system/fstools.te
> @@ -149,6 +149,11 @@ seutil_read_config(fsadm_t)
>
> userdom_use_user_terminals(fsadm_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(fsadm_t)
> +')
> +
> +
> ifdef(`distro_redhat',`
> optional_policy(`
> unconfined_domain(fsadm_t)
> diff --git a/policy/modules/system/hostname.te b/policy/modules/system/hostname.te
> index 24a7889..d5d4a1c 100644
> --- a/policy/modules/system/hostname.te
> +++ b/policy/modules/system/hostname.te
> @@ -56,6 +56,10 @@ sysnet_dontaudit_rw_dhcpc_unix_stream_sockets(hostname_t)
> sysnet_read_config(hostname_t)
> sysnet_dns_name_resolve(hostname_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(hostname_t)
> +')
> +
> optional_policy(`
> nis_use_ypbind(hostname_t)
> ')
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a392fc4..999e142 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -319,6 +319,10 @@ sysnet_dontaudit_rw_dhcpc_udp_sockets(ifconfig_t)
> userdom_use_user_terminals(ifconfig_t)
> userdom_use_all_users_fds(ifconfig_t)
>
> +ifdef(`distro_debian',`
> + term_dontaudit_use_unallocated_ttys(ifconfig_t)
> +')
> +
> ifdef(`distro_ubuntu',`
> optional_policy(`
> unconfined_domain(ifconfig_t)
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (6 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 08/39] These { read write } tty_device_t chr files on boot up " Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-11-10 19:33 ` Luis Ressel
2013-11-09 9:44 ` [refpolicy] [PATCH 10/39] udev: udevd executable location changed Dominick Grift
` (30 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
These named file transitions make sure that these devices get created
with the proper types
This list is probably far from comprehensive because i only added the
ones i was able to confirm on my virtual machine
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/kernel/corenetwork.if.in | 25 ++++++
policy/modules/kernel/devices.if | 146 +++++++++++++++++++++++++++++++-
policy/modules/kernel/kernel.te | 42 +++++++++
policy/modules/kernel/terminal.if | 50 +++++++++++
policy/modules/system/udev.te | 4 +
5 files changed, 266 insertions(+), 1 deletion(-)
diff --git a/policy/modules/kernel/corenetwork.if.in b/policy/modules/kernel/corenetwork.if.in
index 07126bd..7158d4a 100644
--- a/policy/modules/kernel/corenetwork.if.in
+++ b/policy/modules/kernel/corenetwork.if.in
@@ -1993,6 +1993,31 @@ interface(`corenet_rw_tun_tap_dev',`
########################################
## <summary>
+## Create TUN/TAP virtual network devices
+## in /dev with the tun tap type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`corenet_dev_filetrans_tun_tap',`
+ gen_require(`
+ type tun_tap_device_t;
+ ')
+
+ dev_filetrans($1, tun_tap_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or write the TUN/TAP
## virtual network device.
## </summary>
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 76f285e..147170a 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1803,7 +1803,7 @@ interface(`dev_rw_crypto',`
#
interface(`dev_setattr_dlm_control',`
gen_require(`
- type device_t, kvm_device_t;
+ type device_t, dlm_control_device_t;
')
setattr_chr_files_pattern($1, device_t, dlm_control_device_t)
@@ -2017,6 +2017,30 @@ interface(`dev_rw_input_dev',`
########################################
## <summary>
+## Automatic type transition to the type
+## for input device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_input',`
+ gen_require(`
+ type device_t, event_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, event_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the framebuffer device node.
## </summary>
## <param name="domain">
@@ -2340,6 +2364,30 @@ interface(`dev_rw_kvm',`
rw_chr_files_pattern($1, device_t, kvm_device_t)
')
+########################################
+## <summary>
+## Automatic type transition to the type
+## for kvm device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_kvm',`
+ gen_require(`
+ type device_t, kvm_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, kvm_device_t, chr_file, $2)
+')
+
######################################
## <summary>
## Read the lirc device.
@@ -2883,6 +2931,30 @@ interface(`dev_rw_mouse',`
########################################
## <summary>
+## Automatic type transition to the type
+## for mouse device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_mouse',`
+ gen_require(`
+ type device_t, mouse_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, mouse_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the memory type range
## registers (MTRR) device.
## </summary>
@@ -3691,6 +3763,30 @@ interface(`dev_write_sound_mixer',`
########################################
## <summary>
+## Automatic type transition to the type
+## for sound mixer device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_sound_mixer',`
+ gen_require(`
+ type device_t, sound_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, sound_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Get the attributes of the the power management device.
## </summary>
## <param name="domain">
@@ -4203,6 +4299,30 @@ interface(`dev_relabel_generic_usb_dev',`
########################################
## <summary>
+## Automatic type transition to the type
+## for usb device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_usb',`
+ gen_require(`
+ type device_t, usb_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, usb_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read USB monitor devices.
## </summary>
## <param name="domain">
@@ -4648,6 +4768,30 @@ interface(`dev_rw_wireless',`
########################################
## <summary>
+## Automatic type transition to the type
+## for wireless device nodes when created in /dev.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`dev_filetrans_wireless',`
+ gen_require(`
+ type device_t, wireless_device_t;
+ ')
+
+ filetrans_pattern($1, device_t, wireless_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Read and write Xen devices.
## </summary>
## <param name="domain">
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index 8dbab4c..dd1e7e7 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -285,6 +285,48 @@ mls_process_write_down(kernel_t)
mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
+ifdef(`distro_debian',`
+ dev_filetrans_input(kernel_t, "event0")
+ dev_filetrans_input(kernel_t, "event1")
+ dev_filetrans_input(kernel_t, "event2")
+ dev_filetrans_input(kernel_t, "event3")
+ dev_filetrans_input(kernel_t, "event4")
+ dev_filetrans_input(kernel_t, "event5")
+ dev_filetrans_kvm(kernel_t, "kvm")
+ dev_filetrans_mouse(kernel_t, "js0")
+ dev_filetrans_mouse(kernel_t, "js1")
+ dev_filetrans_mouse(kernel_t, "mouse0")
+ dev_filetrans_mouse(kernel_t, "mouse1")
+ dev_filetrans_mouse(kernel_t, "mouse2")
+ dev_filetrans_sound_mixer(kernel_t, "controlC0")
+ dev_filetrans_sound_mixer(kernel_t, "hwC0D0")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0c")
+ dev_filetrans_sound_mixer(kernel_t, "pcmC0D0p")
+ dev_filetrans_usb(kernel_t, "001")
+ dev_filetrans_usb(kernel_t, "002")
+ dev_filetrans_wireless(kernel_t, "rfkill")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcs7")
+
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa1")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa2")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa3")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa4")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa5")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa6")
+ term_dev_filetrans_unallocated_ttys(kernel_t, "vcsa7")
+
+ term_dev_filetrans_virtio_console(kernel_t, "vport1p1")
+')
+
ifdef(`distro_redhat',`
# Bugzilla 222337
fs_rw_tmpfs_chr_files(kernel_t)
diff --git a/policy/modules/kernel/terminal.if b/policy/modules/kernel/terminal.if
index cbb729b..c08b093 100644
--- a/policy/modules/kernel/terminal.if
+++ b/policy/modules/kernel/terminal.if
@@ -1245,6 +1245,31 @@ interface(`term_use_unallocated_ttys',`
########################################
## <summary>
+## Create unallocated tty devices in /dev
+## with the unallocated tty type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_unallocated_ttys',`
+ gen_require(`
+ type tty_device_t;
+ ')
+
+ dev_filetrans($1, tty_device_t, chr_file, $2)
+')
+
+########################################
+## <summary>
## Do not audit attempts to read or
## write unallocated ttys.
## </summary>
@@ -1531,3 +1556,28 @@ interface(`term_use_virtio_console',`
dev_list_all_dev_nodes($1)
allow $1 virtio_device_t:chr_file rw_term_perms;
')
+
+########################################
+## <summary>
+## Create virtio console devices in /dev
+## with the virtio console type
+## via an automatic type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="filename" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`term_dev_filetrans_virtio_console',`
+ gen_require(`
+ type virtio_device_t;
+ ')
+
+ dev_filetrans($1, virtio_device_t, chr_file, $2)
+')
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 183e45d..47bfc33 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -174,8 +174,12 @@ sysnet_etc_filetrans_config(udev_t)
userdom_dontaudit_search_user_home_content(udev_t)
ifdef(`distro_debian',`
+ corenet_dev_filetrans_tun_tap(udev_t, "tun")
+
files_pid_filetrans(udev_t, udev_var_run_t, dir, "xen-hotplug")
+ storage_dev_filetrans_fixed_disk(udev_t, "loop0")
+
optional_policy(`
# for /usr/lib/avahi/avahi-daemon-check-dns.sh
kernel_read_vm_sysctls(udev_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.
2013-11-09 9:44 ` [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian Dominick Grift
@ 2013-11-10 19:33 ` Luis Ressel
2013-11-10 20:58 ` Dominick Grift
0 siblings, 1 reply; 89+ messages in thread
From: Luis Ressel @ 2013-11-10 19:33 UTC (permalink / raw)
To: refpolicy
I also experience this problem when I reconnect my mouse, so it isn't
debian-specific. I'm not a SELinux expert, but this patch looks like a
workaround to me, not like a real fix. It's also a bit limited: For
example, on my system, there are more event devices than event0 -
event5 (atm, the mouse in question is at event9).
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 836 bytes
Desc: not available
Url : http://oss.tresys.com/pipermail/refpolicy/attachments/20131110/b099aaa6/attachment.bin
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.
2013-11-10 19:33 ` Luis Ressel
@ 2013-11-10 20:58 ` Dominick Grift
2013-11-11 14:21 ` Daniel J Walsh
0 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-10 20:58 UTC (permalink / raw)
To: refpolicy
On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
> I also experience this problem when I reconnect my mouse, so it isn't
> debian-specific. I'm not a SELinux expert, but this patch looks like a
> workaround to me, not like a real fix. It's also a bit limited: For
> example, on my system, there are more event devices than event0 -
> event5 (atm, the mouse in question is at event9).
I consider this to be a )possible) starting point
I do not think we should add named file type transitions for every
conceivable object in /dev like i think Fedora does
Only the ones that are actually confirmed. but yes this should probably
not be distro specific.
Consider this patch a [RFC]
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian.
2013-11-10 20:58 ` Dominick Grift
@ 2013-11-11 14:21 ` Daniel J Walsh
0 siblings, 0 replies; 89+ messages in thread
From: Daniel J Walsh @ 2013-11-11 14:21 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 11/10/2013 03:58 PM, Dominick Grift wrote:
> On Sun, 2013-11-10 at 20:33 +0100, Luis Ressel wrote:
>> I also experience this problem when I reconnect my mouse, so it isn't
>> debian-specific. I'm not a SELinux expert, but this patch looks like a
>> workaround to me, not like a real fix. It's also a bit limited: For
>> example, on my system, there are more event devices than event0 - event5
>> (atm, the mouse in question is at event9).
>
> I consider this to be a )possible) starting point
>
> I do not think we should add named file type transitions for every
> conceivable object in /dev like i think Fedora does
>
> Only the ones that are actually confirmed. but yes this should probably not
> be distro specific.
>
> Consider this patch a [RFC]
>
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
The ones we have added in Fedora have been confirmed. We just round up to
the next 10 when they happen. We add them when we see bug reports for
mislabeled devices.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKA5/UACgkQrlYvE4MpobMamgCgtKW39NzDr358RVqy+VqKD7yG
/y4An0sAzsWITVqxZPMBaRL3Vhs/5nRb
=9UaC
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 10/39] udev: udevd executable location changed
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (7 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 09/39] These are some of the device nodes created by kernel, and udev with the generic device_t type in debian Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf Dominick Grift
` (29 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index 374ac00..dd1a887 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
/var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
ifdef(`distro_debian',`
+/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
/var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 10/39] udev: udevd executable location changed
2013-11-09 9:44 ` [refpolicy] [PATCH 10/39] udev: udevd executable location changed Dominick Grift
@ 2013-12-03 18:30 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 18:30 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/udev.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
> index 374ac00..dd1a887 100644
> --- a/policy/modules/system/udev.fc
> +++ b/policy/modules/system/udev.fc
> @@ -33,5 +33,6 @@ ifdef(`distro_redhat',`
> /var/run/udev(/.*)? gen_context(system_u:object_r:udev_var_run_t,s0)
>
> ifdef(`distro_debian',`
> +/lib/systemd/systemd-udevd -- gen_context(system_u:object_r:udev_exec_t,s0)
> /var/run/xen-hotplug -d gen_context(system_u:object_r:udev_var_run_t,s0)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (8 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 10/39] udev: udevd executable location changed Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:48 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb Dominick Grift
` (28 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/udev.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
index 47bfc33..f6ee5ae 100644
--- a/policy/modules/system/udev.te
+++ b/policy/modules/system/udev.te
@@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
miscfiles_read_hwdata(udev_t)
modutils_domtrans_insmod(udev_t)
+modutils_read_module_config(udev_t)
# read modules.inputmap:
modutils_read_module_deps(udev_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf
2013-11-09 9:44 ` [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf Dominick Grift
@ 2013-12-03 13:48 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:48 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/udev.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/udev.te b/policy/modules/system/udev.te
> index 47bfc33..f6ee5ae 100644
> --- a/policy/modules/system/udev.te
> +++ b/policy/modules/system/udev.te
> @@ -154,6 +154,7 @@ miscfiles_read_localization(udev_t)
> miscfiles_read_hwdata(udev_t)
>
> modutils_domtrans_insmod(udev_t)
> +modutils_read_module_config(udev_t)
> # read modules.inputmap:
> modutils_read_module_deps(udev_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (9 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 11/39] udev: reads modules config: /etc/modprobe.d/alsa-base-blacklist.conf Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 18:30 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian Dominick Grift
` (27 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/lvm.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
index 79048c4..d379ef3 100644
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
dev_relabel_generic_dev_dirs(lvm_t)
dev_manage_generic_blk_files(lvm_t)
# Read /sys/block. Device mapper metadata is kept there.
-dev_read_sysfs(lvm_t)
+dev_rw_sysfs(lvm_t)
# cjp: this has no effect since LVM does not
# have lnk_file relabelto for anything else.
# perhaps this should be blk_files?
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb
2013-11-09 9:44 ` [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb Dominick Grift
@ 2013-12-03 18:30 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 18:30 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/lvm.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/lvm.te b/policy/modules/system/lvm.te
> index 79048c4..d379ef3 100644
> --- a/policy/modules/system/lvm.te
> +++ b/policy/modules/system/lvm.te
> @@ -234,7 +234,7 @@ dev_manage_generic_symlinks(lvm_t)
> dev_relabel_generic_dev_dirs(lvm_t)
> dev_manage_generic_blk_files(lvm_t)
> # Read /sys/block. Device mapper metadata is kept there.
> -dev_read_sysfs(lvm_t)
> +dev_rw_sysfs(lvm_t)
> # cjp: this has no effect since LVM does not
> # have lnk_file relabelto for anything else.
> # perhaps this should be blk_files?
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (10 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 12/39] lvm: lvm writes read_ahead_kb Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock Dominick Grift
` (26 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/admin/usermanage.fc | 4 ++++
policy/modules/admin/usermanage.te | 3 +++
2 files changed, 7 insertions(+)
diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
index f82f0ce..4b7737e 100644
--- a/policy/modules/admin/usermanage.fc
+++ b/policy/modules/admin/usermanage.fc
@@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
/bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
')
+ifdef(`distro_debian',`
+/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
+')
+
/usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
/usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
/usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
index 1d732f1..471d4a7 100644
--- a/policy/modules/admin/usermanage.te
+++ b/policy/modules/admin/usermanage.te
@@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
userdom_dontaudit_search_user_home_dirs(crack_t)
ifdef(`distro_debian',`
+ allow crack_t self:process getsched;
# the package cracklib-runtime on Debian contains a daily maintenance
# script /etc/cron.daily/cracklib-runtime, that calls
# update-cracklib and that calls crack_mkdict, which is a shell script.
corecmd_exec_shell(crack_t)
+ dev_search_sysfs(crack_t)
+ miscfiles_read_localization(crack_t)
')
optional_policy(`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian
2013-11-09 9:44 ` [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian Dominick Grift
@ 2013-12-06 14:50 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:50 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/admin/usermanage.fc | 4 ++++
> policy/modules/admin/usermanage.te | 3 +++
> 2 files changed, 7 insertions(+)
>
> diff --git a/policy/modules/admin/usermanage.fc b/policy/modules/admin/usermanage.fc
> index f82f0ce..4b7737e 100644
> --- a/policy/modules/admin/usermanage.fc
> +++ b/policy/modules/admin/usermanage.fc
> @@ -2,6 +2,10 @@ ifdef(`distro_gentoo',`
> /bin/passwd -- gen_context(system_u:object_r:passwd_exec_t,s0)
> ')
>
> +ifdef(`distro_debian',`
> +/etc/cron\.daily/cracklib-runtime -- gen_context(system_u:object_r:crack_exec_t,s0)
> +')
> +
> /usr/bin/chage -- gen_context(system_u:object_r:passwd_exec_t,s0)
> /usr/bin/chfn -- gen_context(system_u:object_r:chfn_exec_t,s0)
> /usr/bin/chsh -- gen_context(system_u:object_r:chfn_exec_t,s0)
> diff --git a/policy/modules/admin/usermanage.te b/policy/modules/admin/usermanage.te
> index 1d732f1..471d4a7 100644
> --- a/policy/modules/admin/usermanage.te
> +++ b/policy/modules/admin/usermanage.te
> @@ -171,10 +171,13 @@ logging_send_syslog_msg(crack_t)
> userdom_dontaudit_search_user_home_dirs(crack_t)
>
> ifdef(`distro_debian',`
> + allow crack_t self:process getsched;
> # the package cracklib-runtime on Debian contains a daily maintenance
> # script /etc/cron.daily/cracklib-runtime, that calls
> # update-cracklib and that calls crack_mkdict, which is a shell script.
> corecmd_exec_shell(crack_t)
> + dev_search_sysfs(crack_t)
> + miscfiles_read_localization(crack_t)
> ')
>
> optional_policy(`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (11 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 13/39] usermanage: Run /etc/cron\.daily/cracklib-runtime in the crack_t domain in Debian Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:49 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf Dominick Grift
` (25 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/fstools.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/fstools.te b/policy/modules/system/fstools.te
index b40e06f..6f9fde9 100644
--- a/policy/modules/system/fstools.te
+++ b/policy/modules/system/fstools.te
@@ -171,6 +171,11 @@ optional_policy(`
')
optional_policy(`
+ devicekit_read_pid_files(fsadm_t)
+ devicekit_append_inherited_log_files(fsadm_t)
+')
+
+optional_policy(`
hal_dontaudit_write_log(fsadm_t)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (12 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 14/39] fstools: hdparm append (what seems inherited from devicekit ) /var/log/pm-powersave.log fstools: hdparm reads /run/pm-utils/locks/pm-powersave.lock Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-03 13:49 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian Dominick Grift
` (24 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/sysnetwork.te | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index 999e142..a2b9820 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -201,6 +201,13 @@ optional_policy(`
')
optional_policy(`
+ networkmanager_domtrans(dhcpc_t)
+ networkmanager_read_pid_files(dhcpc_t)
+ networkmanager_manage_lib_files(dhcpc_t)
+ networkmanager_stream_connect(dhcpc_t)
+')
+
+optional_policy(`
nis_read_ypbind_pid(dhcpc_t)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (13 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 15/39] sysnetwork: dhcpc: networkmanager interface calls from Fedora. In Debian i was able to confirm the need for networkmanager_manage_lib_files(dhcpc_t) since dhclient reads /var/lib/NetworkManager/dhclient-eth0.conf Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:44 ` [refpolicy] [PATCH 17/39] init: This should make transitions to init_script_domains() work for direct_sysadm_daemon Dominick Grift
` (23 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/iptables.te | 6 ++++++
1 file changed, 6 insertions(+)
diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
index be8ed1e..63eb287 100644
--- a/policy/modules/system/iptables.te
+++ b/policy/modules/system/iptables.te
@@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
allow iptables_t iptables_tmp_t:file manage_file_perms;
files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
+kernel_getattr_proc(iptables_t)
kernel_request_load_module(iptables_t)
kernel_read_system_state(iptables_t)
kernel_read_network_state(iptables_t)
@@ -105,6 +106,11 @@ optional_policy(`
')
optional_policy(`
+ firewalld_read_config_files(iptables_t)
+ firewalld_dontaudit_rw_tmp_files(iptables_t)
+')
+
+optional_policy(`
firstboot_use_fds(iptables_t)
firstboot_rw_pipes(iptables_t)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian.
2013-11-09 9:44 ` [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian Dominick Grift
@ 2013-12-06 14:50 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:50 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/iptables.te | 6 ++++++
> 1 file changed, 6 insertions(+)
>
> diff --git a/policy/modules/system/iptables.te b/policy/modules/system/iptables.te
> index be8ed1e..63eb287 100644
> --- a/policy/modules/system/iptables.te
> +++ b/policy/modules/system/iptables.te
> @@ -49,6 +49,7 @@ allow iptables_t iptables_tmp_t:dir manage_dir_perms;
> allow iptables_t iptables_tmp_t:file manage_file_perms;
> files_tmp_filetrans(iptables_t, iptables_tmp_t, { file dir })
>
> +kernel_getattr_proc(iptables_t)
> kernel_request_load_module(iptables_t)
> kernel_read_system_state(iptables_t)
> kernel_read_network_state(iptables_t)
> @@ -105,6 +106,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + firewalld_read_config_files(iptables_t)
> + firewalld_dontaudit_rw_tmp_files(iptables_t)
> +')
> +
> +optional_policy(`
> firstboot_use_fds(iptables_t)
> firstboot_rw_pipes(iptables_t)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 17/39] init: This should make transitions to init_script_domains() work for direct_sysadm_daemon
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (14 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 16/39] iptables: calls to firewalld interfaces from Fedora. The firewalld_dontaudit_rw_tmp_files(iptables_t) was confirmed on Debian Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-11-09 9:44 ` [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well Dominick Grift
` (22 subsequent siblings)
38 siblings, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.if | 13 ++++++++++++-
1 file changed, 12 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 79a45f6..bc49474 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -67,7 +67,8 @@ interface(`init_script_file',`
interface(`init_script_domain',`
gen_require(`
attribute init_script_domain_type, init_script_file_type;
- attribute init_run_all_scripts_domain;
+ attribute init_run_all_scripts_domain, direct_init, direct_init_entry;
+ attribute direct_run_init;
')
typeattribute $1 init_script_domain_type;
@@ -77,6 +78,16 @@ interface(`init_script_domain',`
domain_entry_file($1, $2)
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
+
+ ifdef(`direct_sysadm_daemon',`
+ domtrans_pattern(direct_run_init, $2, $1)
+ allow direct_run_init $1:process { noatsecure siginh rlimitinh };
+
+ typeattribute $1 direct_init;
+ typeattribute $2 direct_init_entry;
+
+ userdom_dontaudit_use_user_terminals($1)
+ ')
')
########################################
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (15 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 17/39] init: This should make transitions to init_script_domains() work for direct_sysadm_daemon Dominick Grift
@ 2013-11-09 9:44 ` Dominick Grift
2013-12-06 13:50 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon ) Dominick Grift
` (21 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:44 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/unconfined.te | 14 +++++++++++---
1 file changed, 11 insertions(+), 3 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 5fe902d..28a2188 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)
userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
-ifdef(`distro_gentoo',`
- seutil_run_runinit(unconfined_t, unconfined_r)
- seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ifdef(`direct_sysadm_daemon',`
+ optional_policy(`
+ init_run_daemon(unconfined_t, unconfined_r)
+ ')
+',`
+ ifdef(`distro_gentoo',`
+ optional_policy(`
+ seutil_run_runinit(unconfined_t, unconfined_r)
+ seutil_init_script_run_runinit(unconfined_t, unconfined_r)
+ ')
+ ')
')
optional_policy(`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well
2013-11-09 9:44 ` [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well Dominick Grift
@ 2013-12-06 13:50 ` Christopher J. PeBenito
2013-12-06 14:33 ` Dominick Grift
0 siblings, 1 reply; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 13:50 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/unconfined.te | 14 +++++++++++---
> 1 file changed, 11 insertions(+), 3 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 5fe902d..28a2188 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -49,9 +49,17 @@ unconfined_domain(unconfined_t)
>
> userdom_user_home_dir_filetrans_user_home_content(unconfined_t, { dir file lnk_file fifo_file sock_file })
>
> -ifdef(`distro_gentoo',`
> - seutil_run_runinit(unconfined_t, unconfined_r)
> - seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> +ifdef(`direct_sysadm_daemon',`
> + optional_policy(`
> + init_run_daemon(unconfined_t, unconfined_r)
> + ')
> +',`
> + ifdef(`distro_gentoo',`
> + optional_policy(`
> + seutil_run_runinit(unconfined_t, unconfined_r)
> + seutil_init_script_run_runinit(unconfined_t, unconfined_r)
> + ')
> + ')
> ')
I get an error:
/usr/bin/checkpolicy: loading policy configuration from policy.conf
policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
#line 52
role_transition unconfined_r direct_init_entry system_r;
checkpolicy: error(s) encountered while parsing configuration
make: *** [policy.29] Error 1
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well
2013-12-06 13:50 ` Christopher J. PeBenito
@ 2013-12-06 14:33 ` Dominick Grift
0 siblings, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2013-12-06 14:33 UTC (permalink / raw)
To: refpolicy
On Fri, 2013-12-06 at 08:50 -0500, Christopher J. PeBenito wrote:
> I get an error:
>
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/system/unconfined.te":52:ERROR 'duplicate role transition for (unconfined_r,NetworkManager_exec_t,process)' at token ';' on line 2433460:
> #line 52
> role_transition unconfined_r direct_init_entry system_r;
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>
>
Monolithic i assume. Because i did not see this in modular builts.
This can probably be easily fixed though
What is more important to me right now is to know that you are not
opposed to the idea of making direct_sysadm_daemon apply to unconfined_t
in general.
I am sorry though about all these built errors i should have tested it
more thoroughly...
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon )
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (16 preceding siblings ...)
2013-11-09 9:44 ` [refpolicy] [PATCH 18/39] unconfined: make direct_sysadm_daemon apply to unconfined_r:unconfined_t as well Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-06 14:28 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role Dominick Grift
` (20 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/users | 6 +++++-
1 file changed, 5 insertions(+), 1 deletion(-)
diff --git a/policy/users b/policy/users
index c4ebc7e..5db8cf4 100644
--- a/policy/users
+++ b/policy/users
@@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
# Until order dependence is fixed for users:
-gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
#
# The following users correspond to Unix identities.
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon )
2013-11-09 9:45 ` [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon ) Dominick Grift
@ 2013-12-06 14:28 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:28 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/users | 6 +++++-
> 1 file changed, 5 insertions(+), 1 deletion(-)
>
> diff --git a/policy/users b/policy/users
> index c4ebc7e..5db8cf4 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -29,7 +29,11 @@ gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> # Until order dependence is fixed for users:
> -gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
>
> #
> # The following users correspond to Unix identities.
Skipping this for now since the corresponding other change in unconfined has that transition conflict.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (17 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 19/39] users: associate the system_r role to unconfined_u identity conditionally ( direct_sysadm_daemon ) Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-10 15:40 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type Dominick Grift
` (19 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index bc49474..9bce838 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -998,6 +998,8 @@ interface(`init_run_daemon',`
')
typeattribute $1 direct_run_init;
+
+ allow $2 system_r;
role_transition $2 direct_init_entry system_r;
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (18 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 20/39] init: for a specified automatic role transition to work. the source role must be allowed to change manually to the target role Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-10 15:40 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp Dominick Grift
` (18 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.if | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
index 9bce838..dc9f92b 100644
--- a/policy/modules/system/init.if
+++ b/policy/modules/system/init.if
@@ -77,6 +77,8 @@ interface(`init_script_domain',`
domain_type($1)
domain_entry_file($1, $2)
+ role system_r types $1;
+
domtrans_pattern(init_run_all_scripts_domain, $2, $1)
ifdef(`direct_sysadm_daemon',`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type
2013-11-09 9:45 ` [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type Dominick Grift
@ 2013-12-10 15:40 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-10 15:40 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.if | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.if b/policy/modules/system/init.if
> index 9bce838..dc9f92b 100644
> --- a/policy/modules/system/init.if
> +++ b/policy/modules/system/init.if
> @@ -77,6 +77,8 @@ interface(`init_script_domain',`
> domain_type($1)
> domain_entry_file($1, $2)
>
> + role system_r types $1;
> +
> domtrans_pattern(init_run_all_scripts_domain, $2, $1)
>
> ifdef(`direct_sysadm_daemon',`
This failed to apply for me; it's been manually applied.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (19 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 21/39] init: init_script_domain() allow system_r role the init script domain type Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-03 13:51 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 23/39] Initial local_home_t implementation Dominick Grift
` (17 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/sysnetwork.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
index a2b9820..5857838 100644
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -219,6 +219,7 @@ optional_policy(`
optional_policy(`
ntp_initrc_domtrans(dhcpc_t)
+ ntp_read_drift_files(dhcpc_t)
')
optional_policy(`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp
2013-11-09 9:45 ` [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp Dominick Grift
@ 2013-12-03 13:51 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:51 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/sysnetwork.te | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te
> index a2b9820..5857838 100644
> --- a/policy/modules/system/sysnetwork.te
> +++ b/policy/modules/system/sysnetwork.te
> @@ -219,6 +219,7 @@ optional_policy(`
>
> optional_policy(`
> ntp_initrc_domtrans(dhcpc_t)
> + ntp_read_drift_files(dhcpc_t)
> ')
>
> optional_policy(`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 23/39] Initial local_home_t implementation
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (20 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 22/39] sysbnetwork: dhclient searches /var/lib/ntp Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover Dominick Grift
` (16 subsequent siblings)
38 siblings, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
This was discussed on the maillist. It was decided to make this part of
the user domain since Python also uses local_home_t
This is part of implementation of X Desktop Group specification support
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/userdomain.fc | 1 +
policy/modules/system/userdomain.if | 190 ++++++++++++++++++++++++++++++++----
policy/modules/system/userdomain.te | 3 +
3 files changed, 175 insertions(+), 19 deletions(-)
diff --git a/policy/modules/system/userdomain.fc b/policy/modules/system/userdomain.fc
index db75976..ec5c90a 100644
--- a/policy/modules/system/userdomain.fc
+++ b/policy/modules/system/userdomain.fc
@@ -1,4 +1,5 @@
HOME_DIR -d gen_context(system_u:object_r:user_home_dir_t,s0-mls_systemhigh)
HOME_DIR/.+ gen_context(system_u:object_r:user_home_t,s0)
+HOME_DIR/\.local(/.*)? gen_context(system_u:object_r:local_home_t,s0)
/tmp/gconfd-USER -d gen_context(system_u:object_r:user_tmp_t,s0)
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 06d8db1..189f786 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -147,7 +147,7 @@ template(`userdom_base_user_template',`
#
interface(`userdom_ro_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')
##############################
@@ -159,12 +159,12 @@ interface(`userdom_ro_home_role',`
# read-only home directory
allow $2 user_home_dir_t:dir list_dir_perms;
- allow $2 user_home_t:dir list_dir_perms;
- allow $2 user_home_t:file entrypoint;
- read_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_lnk_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_fifo_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
- read_sock_files_pattern($2, { user_home_t user_home_dir_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:dir list_dir_perms;
+ allow $2 ( local_home_t user_home_t }:file entrypoint;
+ read_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_lnk_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_fifo_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
+ read_sock_files_pattern($2, { local_home_t user_home_t user_home_dir_t }, { local_home_t user_home_t })
files_list_home($2)
tunable_policy(`use_nfs_home_dirs',`
@@ -218,7 +218,7 @@ interface(`userdom_ro_home_role',`
#
interface(`userdom_manage_home_role',`
gen_require(`
- type user_home_t, user_home_dir_t;
+ type user_home_t, user_home_dir_t, local_home_t;
')
##############################
@@ -229,18 +229,19 @@ interface(`userdom_manage_home_role',`
type_member $2 user_home_dir_t:dir user_home_dir_t;
# full control of the home directory
- allow $2 user_home_t:file entrypoint;
- manage_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- manage_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_dirs_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_lnk_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_sock_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
- relabel_fifo_files_pattern($2, { user_home_dir_t user_home_t }, user_home_t)
+ allow $2 { local_home_t user_home_t }:file entrypoint;
+ manage_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ manage_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_dirs_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_lnk_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_sock_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
+ relabel_fifo_files_pattern($2, { local_home_t user_home_dir_t user_home_t }, { local_home_t user_home_t })
filetrans_pattern($2, user_home_dir_t, user_home_t, { dir file lnk_file sock_file fifo_file })
+ filetrans_pattern($2, user_home_t, local_home_t, dir, ".local")
files_list_home($2)
# cjp: this should probably be removed:
@@ -2200,6 +2201,157 @@ interface(`userdom_manage_user_home_content_sockets',`
########################################
## <summary>
+## Create generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_create_generic_local_home_dirs',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ allow $1 local_home_t:dir create_dir_perms;
+')
+
+########################################
+## <summary>
+## Read generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_read_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir list_dir_perms;
+ allow $1 local_home_t:file read_file_perms;
+ allow $1 local_home_t:fifo_file read_fifo_file_perms;
+ allow $1 local_home_t:lnk_file read_lnk_file_perms;
+ allow $1 local_home_t:sock_file read_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Create, read, write, and delete
+## generic local home content.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_manage_generic_local_home_content',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir manage_dir_perms;
+ allow $1 local_home_t:file manage_file_perms;
+ allow $1 local_home_t:fifo_file manage_fifo_file_perms;
+ allow $1 local_home_t:lnk_file manage_lnk_file_perms;
+ allow $1 local_home_t:sock_file manage_sock_file_perms;
+')
+
+########################################
+## <summary>
+## Search generic local home directories.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`userdom_search_generic_local_home',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ userdom_search_user_home_dirs($1)
+ allow $1 local_home_t:dir search_dir_perms;
+')
+
+########################################
+## <summary>
+## Create specified objects in generic
+## local home directories with an automatic
+## type transition to a specified private type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="private_type">
+## <summary>
+## The type of the object to create.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_local_home_filetrans',`
+ gen_require(`
+ type local_home_t;
+ ')
+
+ filetrans_pattern($1, local_home_t, $2, $3, $4)
+ userdom_search_user_home_content($1)
+')
+
+########################################
+## <summary>
+## Create specified objects in generic user
+## home content directories with an automatic
+## type transition to the generic local
+## home file type.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## The class of the object to be created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`userdom_user_home_content_filetrans_local_home',`
+ gen_require(`
+ type user_home_t, local_home_t;
+ ')
+
+ userdom_user_home_content_filetrans($1, local_home_t, $2, $3)
+')
+
+########################################
+## <summary>
## Create objects in a user home directory
## with an automatic type transition to
## a specified private type.
diff --git a/policy/modules/system/userdomain.te b/policy/modules/system/userdomain.te
index f4ac38d..d657ea7 100644
--- a/policy/modules/system/userdomain.te
+++ b/policy/modules/system/userdomain.te
@@ -58,6 +58,9 @@ attribute unpriv_userdomain;
attribute user_home_content_type;
+type local_home_t;
+userdom_user_home_content(local_home_t)
+
type user_home_dir_t alias { staff_home_dir_t sysadm_home_dir_t secadm_home_dir_t auditadm_home_dir_t unconfined_home_dir_t };
fs_associate_tmpfs(user_home_dir_t)
files_type(user_home_dir_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (21 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 23/39] Initial local_home_t implementation Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-06 13:34 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed Dominick Grift
` (15 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/services/xserver.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 8274418..c74ba1f 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
+HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
#
# /dev
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-11-09 9:45 ` [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover Dominick Grift
@ 2013-12-06 13:34 ` Christopher J. PeBenito
2013-12-06 13:56 ` Dominick Grift
0 siblings, 1 reply; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 13:34 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/services/xserver.fc | 1 +
> 1 file changed, 1 insertion(+)
>
> diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> index 8274418..c74ba1f 100644
> --- a/policy/modules/services/xserver.fc
> +++ b/policy/modules/services/xserver.fc
> @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
>
> #
Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-12-06 13:34 ` Christopher J. PeBenito
@ 2013-12-06 13:56 ` Dominick Grift
2013-12-06 13:59 ` Daniel J Walsh
0 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-12-06 13:56 UTC (permalink / raw)
To: refpolicy
On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> > policy/modules/services/xserver.fc | 1 +
> > 1 file changed, 1 insertion(+)
> >
> > diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
> > index 8274418..c74ba1f 100644
> > --- a/policy/modules/services/xserver.fc
> > +++ b/policy/modules/services/xserver.fc
> > @@ -9,6 +9,7 @@ HOME_DIR/\.ICEauthority.* -- gen_context(system_u:object_r:iceauth_home_t,s0)
> > HOME_DIR/\.serverauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.xauth.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> > +HOME_DIR/\.xsession-errors.* -- gen_context(system_u:object_r:xauth_home_t,s0)
> >
> > #
>
> Does xauth create this log? If xdm does, then it makes more sense to have an xdm derived type. Otherwise I don't see why this shouldn't be user_home_t.
>
I can't tell, both xdm_t as well as xauth_t are currently allowed to
create files in user home directories with the xauth_home_t type
Does it make sense for a efficiency/security standpoint to create new
type for this?
Anyways if you want a new type for this then drop this patch for now
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-12-06 13:56 ` Dominick Grift
@ 2013-12-06 13:59 ` Daniel J Walsh
2013-12-06 14:29 ` Dominick Grift
0 siblings, 1 reply; 89+ messages in thread
From: Daniel J Walsh @ 2013-12-06 13:59 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2013 08:56 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:34 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> ---
>>> policy/modules/services/xserver.fc | 1 + 1 file changed, 1
>>> insertion(+)
>>>
>>> diff --git a/policy/modules/services/xserver.fc
>>> b/policy/modules/services/xserver.fc index 8274418..c74ba1f 100644 ---
>>> a/policy/modules/services/xserver.fc +++
>>> b/policy/modules/services/xserver.fc @@ -9,6 +9,7 @@
>>> HOME_DIR/\.ICEauthority.* --
>>> gen_context(system_u:object_r:iceauth_home_t,s0)
>>> HOME_DIR/\.serverauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.xauth.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0) HOME_DIR/\.Xauthority.*
>>> -- gen_context(system_u:object_r:xauth_home_t,s0)
>>> +HOME_DIR/\.xsession-errors.* --
>>> gen_context(system_u:object_r:xauth_home_t,s0)
>>>
>>> #
>>
>> Does xauth create this log? If xdm does, then it makes more sense to
>> have an xdm derived type. Otherwise I don't see why this shouldn't be
>> user_home_t.
>>
>
> I can't tell, both xdm_t as well as xauth_t are currently allowed to create
> files in user home directories with the xauth_home_t type
>
> Does it make sense for a efficiency/security standpoint to create new type
> for this?
>
> Anyways if you want a new type for this then drop this patch for now
>
> _______________________________________________ refpolicy mailing list
> refpolicy at oss.tresys.com http://oss.tresys.com/mailman/listinfo/refpolicy
>
In fedora we have xdm_home_t.
matchpathcon ~/.xsession-errors
/home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKh2EQACgkQrlYvE4MpobOFPgCggrH02jfz/XJD+/EGifWNQqgX
5AIAnRDmx9AEzxw2glJ7lU+rrvTQZrAZ
=iKvZ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-12-06 13:59 ` Daniel J Walsh
@ 2013-12-06 14:29 ` Dominick Grift
2013-12-06 15:35 ` Daniel J Walsh
0 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-12-06 14:29 UTC (permalink / raw)
To: refpolicy
On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:
> In fedora we have xdm_home_t.
>
> matchpathcon ~/.xsession-errors
> /home/dwalsh/.xsession-errors staff_u:object_r:xdm_home_t:s0
>
>
Thanks, yes i know, the question i have is, is it worth it to create a
private type for this.
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover
2013-12-06 14:29 ` Dominick Grift
@ 2013-12-06 15:35 ` Daniel J Walsh
0 siblings, 0 replies; 89+ messages in thread
From: Daniel J Walsh @ 2013-12-06 15:35 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/06/2013 09:29 AM, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:59 -0500, Daniel J Walsh wrote:
>
>> In fedora we have xdm_home_t.
>>
>> matchpathcon ~/.xsession-errors /home/dwalsh/.xsession-errors
>> staff_u:object_r:xdm_home_t:s0
>>
>>
>
> Thanks, yes i know, the question i have is, is it worth it to create a
> private type for this.
>
>
Maybe not. At least gdm and kdm no longer create this content, I think they
are writing it to journald now.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKh7tAACgkQrlYvE4MpobN3SwCfe7IPBQlzPwdRLtwLCj6SrF8f
ABcAoOLZcLFBCR8C9XuyiRPZGbD8EMHK
=f6kz
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (22 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 24/39] This should probably eventually end up with xdm_home_t type like Fedora, but the file is currently created with xauth_home_t type so i just added a file context spec for that for failover Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-06 13:28 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs Dominick Grift
` (14 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/unconfined.te | 6 ++++++
policy/users | 7 -------
2 files changed, 6 insertions(+), 7 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 28a2188..4e4a4c5 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
optional_policy(`
unconfined_dbus_chat(unconfined_execmem_t)
')
+
+ifdef(`direct_sysadm_daemon',`
+ gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
+',`
+ gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
+')
diff --git a/policy/users b/policy/users
index 5db8cf4..25402af 100644
--- a/policy/users
+++ b/policy/users
@@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
-# Until order dependence is fixed for users:
-ifdef(`direct_sysadm_daemon',`
- gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
-',`
- gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
-')
-
#
# The following users correspond to Unix identities.
# These identities are typically assigned as the user attribute
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed
2013-11-09 9:45 ` [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed Dominick Grift
@ 2013-12-06 13:28 ` Christopher J. PeBenito
2013-12-06 13:49 ` Dominick Grift
0 siblings, 1 reply; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 13:28 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/unconfined.te | 6 ++++++
> policy/users | 7 -------
> 2 files changed, 6 insertions(+), 7 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 28a2188..4e4a4c5 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> optional_policy(`
> unconfined_dbus_chat(unconfined_execmem_t)
> ')
> +
> +ifdef(`direct_sysadm_daemon',`
> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +',`
> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> +')
> diff --git a/policy/users b/policy/users
> index 5db8cf4..25402af 100644
> --- a/policy/users
> +++ b/policy/users
> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>
> -# Until order dependence is fixed for users:
> -ifdef(`direct_sysadm_daemon',`
> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -',`
> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> -')
> -
> #
> # The following users correspond to Unix identities.
> # These identities are typically assigned as the user attribute
I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed
2013-12-06 13:28 ` Christopher J. PeBenito
@ 2013-12-06 13:49 ` Dominick Grift
2013-12-06 14:21 ` Christopher J. PeBenito
0 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-12-06 13:49 UTC (permalink / raw)
To: refpolicy
On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> > policy/modules/system/unconfined.te | 6 ++++++
> > policy/users | 7 -------
> > 2 files changed, 6 insertions(+), 7 deletions(-)
> >
> > diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> > index 28a2188..4e4a4c5 100644
> > --- a/policy/modules/system/unconfined.te
> > +++ b/policy/modules/system/unconfined.te
> > @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
> > optional_policy(`
> > unconfined_dbus_chat(unconfined_execmem_t)
> > ')
> > +
> > +ifdef(`direct_sysadm_daemon',`
> > + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +',`
> > + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > +')
> > diff --git a/policy/users b/policy/users
> > index 5db8cf4..25402af 100644
> > --- a/policy/users
> > +++ b/policy/users
> > @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
> > gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
> > gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
> >
> > -# Until order dependence is fixed for users:
> > -ifdef(`direct_sysadm_daemon',`
> > - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -',`
> > - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
> > -')
> > -
> > #
> > # The following users correspond to Unix identities.
> > # These identities are typically assigned as the user attribute
>
> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>
> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>
Ouch, i seem to not have tested that. i should follow my own advice.
problem is monolithic builts take so long. Atleast with modular you can
cheat by skipping the assertion checking (although i should not do that
either)
Do you think this error might be related to that?
> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
> /usr/bin/checkpolicy: loading policy configuration from policy.conf
> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
> typeattribute user_t domain;
> #line 13
> checkpolicy: error(s) encountered while parsing configuration
> make: *** [policy.29] Error 1
>
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed
2013-12-06 13:49 ` Dominick Grift
@ 2013-12-06 14:21 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:21 UTC (permalink / raw)
To: refpolicy
On 12/06/13 08:49, Dominick Grift wrote:
> On Fri, 2013-12-06 at 08:28 -0500, Christopher J. PeBenito wrote:
>> On 11/09/13 04:45, Dominick Grift wrote:
>>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
>>> ---
>>> policy/modules/system/unconfined.te | 6 ++++++
>>> policy/users | 7 -------
>>> 2 files changed, 6 insertions(+), 7 deletions(-)
>>>
>>> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
>>> index 28a2188..4e4a4c5 100644
>>> --- a/policy/modules/system/unconfined.te
>>> +++ b/policy/modules/system/unconfined.te
>>> @@ -213,3 +213,9 @@ unconfined_domain_noaudit(unconfined_execmem_t)
>>> optional_policy(`
>>> unconfined_dbus_chat(unconfined_execmem_t)
>>> ')
>>> +
>>> +ifdef(`direct_sysadm_daemon',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +',`
>>> + gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> +')
>>> diff --git a/policy/users b/policy/users
>>> index 5db8cf4..25402af 100644
>>> --- a/policy/users
>>> +++ b/policy/users
>>> @@ -28,13 +28,6 @@ gen_user(user_u, user, user_r, s0, s0)
>>> gen_user(staff_u, staff, staff_r sysadm_r ifdef(`enable_mls',`secadm_r auditadm_r'), s0, s0 - mls_systemhigh, mcs_allcats)
>>> gen_user(sysadm_u, sysadm, sysadm_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>>
>>> -# Until order dependence is fixed for users:
>>> -ifdef(`direct_sysadm_daemon',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r system_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -',`
>>> - gen_user(unconfined_u, unconfined, unconfined_r, s0, s0 - mls_systemhigh, mcs_allcats)
>>> -')
>>> -
>>> #
>>> # The following users correspond to Unix identities.
>>> # These identities are typically assigned as the user attribute
>>
>> I believe this will break monolithic build, otherwise I would have done it a long time ago. It would take a little work to implement user line moving in the build system to get this into the right place in policy.conf that checkpolicy expects.
>>
>> Alternatively, if semodule_expand was enhanced to output all of the files in the expanded policy, we could simplify refpolicy by doing a monolithic build by doing a modular build and then linking/expanding it locally. Then we'd get around the more painful ordering requirements of checkpolicy.
>>
>
> Ouch, i seem to not have tested that. i should follow my own advice.
> problem is monolithic builts take so long. Atleast with modular you can
> cheat by skipping the assertion checking (although i should not do that
> either)
>
> Do you think this error might be related to that?
It could be, but a further inspection of the policy.conf would be required, since the error message by itself isn't very helpful.
>> /usr/bin/checkpolicy -M -U allow policy.conf -o policy.29
>> /usr/bin/checkpolicy: loading policy configuration from policy.conf
>> policy/modules/roles/unprivuser.te":13:ERROR 'syntax error' at token 'typeattribute' on line 2436000:
>> typeattribute user_t domain;
>> #line 13
>> checkpolicy: error(s) encountered while parsing configuration
>> make: *** [policy.29] Error 1
>>
>
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (23 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 25/39] users: move the unconfined_u user statement to the unconfined module (if possible) so that it will be removed if the unconfined module is disabled, or removed Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-10 15:41 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans Dominick Grift
` (13 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.te | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 17eda24..5de913e 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -179,6 +179,11 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
+ifdef(`distro_debian',`
+fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
+')
+
ifdef(`distro_gentoo',`
allow init_t self:process { getcap setcap };
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs
2013-11-09 9:45 ` [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs Dominick Grift
@ 2013-12-10 15:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-10 15:41 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.te | 5 +++++
> 1 file changed, 5 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 17eda24..5de913e 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -179,6 +179,11 @@ seutil_read_config(init_t)
>
> miscfiles_read_localization(init_t)
>
> +ifdef(`distro_debian',`
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> +')
> +
> ifdef(`distro_gentoo',`
> allow init_t self:process { getcap setcap };
Merged with whitespace fix.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (24 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 26/39] init: this is a bug in debian where tmpfs is mounted on /run, and so early on in the boot process init creates /run/utmp and /run/initctl in a tmpfs directory (/) tmpfs Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file Dominick Grift
` (12 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/libraries.fc | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
index 73bb3c0..d9408e6 100644
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -117,6 +117,10 @@ ifdef(`distro_redhat',`
/usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
+ifdef(`distro_debian',`
+/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
+')
+
/usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
/usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans
2013-11-09 9:45 ` [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans Dominick Grift
@ 2013-12-06 14:50 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:50 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/libraries.fc | 4 ++++
> 1 file changed, 4 insertions(+)
>
> diff --git a/policy/modules/system/libraries.fc b/policy/modules/system/libraries.fc
> index 73bb3c0..d9408e6 100644
> --- a/policy/modules/system/libraries.fc
> +++ b/policy/modules/system/libraries.fc
> @@ -117,6 +117,10 @@ ifdef(`distro_redhat',`
>
> /usr/(.*/)?nvidia/.+\.so(\..*)? -- gen_context(system_u:object_r:textrel_shlib_t,s0)
>
> +ifdef(`distro_debian',`
> +/usr/(.*/)?dh-python/dh_pypy -- gen_context(system_u:object_r:lib_t,s0)
> +')
> +
> /usr/lib/altivec/libavcodec\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/cedega/.+\.so(\.[^/]*)* -- gen_context(system_u:object_r:textrel_shlib_t,s0)
> /usr/lib/dovecot/(.*/)?lib.*\.so.* -- gen_context(system_u:object_r:lib_t,s0)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (25 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 27/39] libraries: for now i can only confirm mmap, might need to be changed to bin_t later if it turns out to need execute_no_trans Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-14 18:24 ` Dominick Grift
2014-02-06 19:56 ` Laurent Bigonville
2013-11-09 9:45 ` [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file Dominick Grift
` (11 subsequent siblings)
38 siblings, 2 replies; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.te | 5 ++++-
1 file changed, 4 insertions(+), 1 deletion(-)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 5de913e..4691035 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -180,7 +180,7 @@ seutil_read_config(init_t)
miscfiles_read_localization(init_t)
ifdef(`distro_debian',`
-fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
+fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')
@@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
userdom_use_user_terminals(initrc_t)
ifdef(`distro_debian',`
+ kernel_getattr_core_if(initrc_t)
+
+ dev_getattr_generic_blk_files(initrc_t)
dev_setattr_generic_dirs(initrc_t)
fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
2013-11-09 9:45 ` [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file Dominick Grift
@ 2013-12-14 18:24 ` Dominick Grift
2014-02-06 19:56 ` Laurent Bigonville
1 sibling, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2013-12-14 18:24 UTC (permalink / raw)
To: refpolicy
On Sat, 2013-11-09 at 10:45 +0100, Dominick Grift wrote:
Please merge this patch asap.
Current refpolicy does not build without this patch
This was a rebase mistake by me.
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
2013-11-09 9:45 ` [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file Dominick Grift
2013-12-14 18:24 ` Dominick Grift
@ 2014-02-06 19:56 ` Laurent Bigonville
2014-02-07 8:15 ` Dominick Grift
1 sibling, 1 reply; 89+ messages in thread
From: Laurent Bigonville @ 2014-02-06 19:56 UTC (permalink / raw)
To: refpolicy
Le Sat, 9 Nov 2013 10:45:09 +0100,
Dominick Grift <dominick.grift@gmail.com> a ?crit :
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.te | 5 ++++-
> 1 file changed, 4 insertions(+), 1 deletion(-)
>
> diff --git a/policy/modules/system/init.te
> b/policy/modules/system/init.te index 5de913e..4691035 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
>
> @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> userdom_use_user_terminals(initrc_t)
>
> ifdef(`distro_debian',`
> + kernel_getattr_core_if(initrc_t)
> +
> + dev_getattr_generic_blk_files(initrc_t)
> dev_setattr_generic_dirs(initrc_t)
>
> fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
Hi,
Apparently this patch has never been merged (but the first chunk is not
applying anymore), should I repropose it or would you have the time to
do it?
Cheers,
Laurent Bigonville
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file
2014-02-06 19:56 ` Laurent Bigonville
@ 2014-02-07 8:15 ` Dominick Grift
0 siblings, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2014-02-07 8:15 UTC (permalink / raw)
To: refpolicy
On Thu, 2014-02-06 at 20:56 +0100, Laurent Bigonville wrote:
> Le Sat, 9 Nov 2013 10:45:09 +0100,
> Dominick Grift <dominick.grift@gmail.com> a ?crit :
>
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> > policy/modules/system/init.te | 5 ++++-
> > 1 file changed, 4 insertions(+), 1 deletion(-)
> >
> > diff --git a/policy/modules/system/init.te
> > b/policy/modules/system/init.te index 5de913e..4691035 100644
> > --- a/policy/modules/system/init.te
> > +++ b/policy/modules/system/init.te
> > @@ -180,7 +180,7 @@ seutil_read_config(init_t)
> > miscfiles_read_localization(init_t)
> >
> > ifdef(`distro_debian',`
> > -fs_tmpfs_filetrans(init_t, initctl_t, fifo, "initctl")
> > +fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> > fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> > ')
> >
> > @@ -437,6 +437,9 @@ userdom_read_user_home_content_files(initrc_t)
> > userdom_use_user_terminals(initrc_t)
> >
> > ifdef(`distro_debian',`
> > + kernel_getattr_core_if(initrc_t)
> > +
> > + dev_getattr_generic_blk_files(initrc_t)
> > dev_setattr_generic_dirs(initrc_t)
> >
> > fs_tmpfs_filetrans(initrc_t, initrc_var_run_t, dir)
>
> Hi,
>
> Apparently this patch has never been merged (but the first chunk is not
> applying anymore), should I repropose it or would you have the time to
> do it?
>
> Cheers,
I lost the passphrase of my ssh key for contrib so probably best to
resumbit a new patch because i wont be able to commit this
>
> Laurent Bigonville
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (26 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 28/39] init: startpar (initrc_t) gets attributes of /dev/dm-0 (device_t) early on boot, soon later the node context is properly reset (debian only) init: startpar (initrc_t) gets attributes of /proc/kcore file Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files Dominick Grift
` (10 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.te | 4 ++++
1 file changed, 4 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 4691035..7f8797a 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -450,6 +450,10 @@ ifdef(`distro_debian',`
storage_tmpfs_filetrans_fixed_disk(initrc_t)
files_setattr_etc_dirs(initrc_t)
+
+ optional_policy(`
+ exim_manage_var_lib_files(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (27 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 29/39] init: exim init script runs various helper apps that create and manage /var/lib/exim4/config.autogenerated.tmp file Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 31/39] udev: in debian udevadm is located in /bin/udevadm Dominick Grift
` (9 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.te | 8 ++++++++
1 file changed, 8 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index 7f8797a..cd97c98 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -454,6 +454,14 @@ ifdef(`distro_debian',`
optional_policy(`
exim_manage_var_lib_files(initrc_t)
')
+
+ optional_policy(`
+ gdomap_read_config(initrc_t)
+ ')
+
+ optional_policy(`
+ minissdpd_read_config(initrc_t)
+ ')
')
ifdef(`distro_gentoo',`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files
2013-11-09 9:45 ` [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files Dominick Grift
@ 2013-12-20 19:56 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-20 19:56 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.te | 8 ++++++++
> 1 file changed, 8 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index 7f8797a..cd97c98 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -454,6 +454,14 @@ ifdef(`distro_debian',`
> optional_policy(`
> exim_manage_var_lib_files(initrc_t)
> ')
> +
> + optional_policy(`
> + gdomap_read_config(initrc_t)
> + ')
> +
> + optional_policy(`
> + minissdpd_read_config(initrc_t)
> + ')
> ')
>
> ifdef(`distro_gentoo',`
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 31/39] udev: in debian udevadm is located in /bin/udevadm
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (28 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 30/39] init: the gdomap and minissdpd init scripts read the respective environ files in /etc/default. We need to give them a private type so that we can give the gdomap_admin() and minissdpd_admin() access to it, but it seems overengineering to create private environ types for these files Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-11-09 9:45 ` [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts Dominick Grift
` (8 subsequent siblings)
38 siblings, 0 replies; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/udev.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/system/udev.fc b/policy/modules/system/udev.fc
index dd1a887..0b4df21 100644
--- a/policy/modules/system/udev.fc
+++ b/policy/modules/system/udev.fc
@@ -12,6 +12,7 @@
/lib/udev/udev-acl -- gen_context(system_u:object_r:udev_exec_t,s0)
ifdef(`distro_debian',`
+/bin/udevadm -- gen_context(system_u:object_r:udev_exec_t,s0)
/lib/udev/create_static_nodes -- gen_context(system_u:object_r:udev_exec_t,s0)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (29 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 31/39] udev: in debian udevadm is located in /bin/udevadm Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-03 13:51 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni Dominick Grift
` (7 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/services/ssh.te | 4 ++++
policy/modules/system/setrans.te | 4 ++++
2 files changed, 8 insertions(+)
diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
index cc877c7..d7559d8 100644
--- a/policy/modules/services/ssh.te
+++ b/policy/modules/services/ssh.te
@@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
ssh_server_template(sshd)
init_daemon_domain(sshd_t, sshd_exec_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(sshd_var_run_t, "sshd")
+')
+
type sshd_key_t;
files_type(sshd_key_t)
diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
index 48aefa2..dcd7c62 100644
--- a/policy/modules/system/setrans.te
+++ b/policy/modules/system/setrans.te
@@ -20,6 +20,10 @@ type setrans_var_run_t;
files_pid_file(setrans_var_run_t)
mls_trusted_object(setrans_var_run_t)
+ifdef(`distro_debian',`
+ init_daemon_run_dir(setrans_var_run_t, "setrans")
+')
+
ifdef(`enable_mcs',`
init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts
2013-11-09 9:45 ` [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts Dominick Grift
@ 2013-12-03 13:51 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:51 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/services/ssh.te | 4 ++++
> policy/modules/system/setrans.te | 4 ++++
> 2 files changed, 8 insertions(+)
>
> diff --git a/policy/modules/services/ssh.te b/policy/modules/services/ssh.te
> index cc877c7..d7559d8 100644
> --- a/policy/modules/services/ssh.te
> +++ b/policy/modules/services/ssh.te
> @@ -33,6 +33,10 @@ corecmd_executable_file(sshd_exec_t)
> ssh_server_template(sshd)
> init_daemon_domain(sshd_t, sshd_exec_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(sshd_var_run_t, "sshd")
> +')
> +
> type sshd_key_t;
> files_type(sshd_key_t)
>
> diff --git a/policy/modules/system/setrans.te b/policy/modules/system/setrans.te
> index 48aefa2..dcd7c62 100644
> --- a/policy/modules/system/setrans.te
> +++ b/policy/modules/system/setrans.te
> @@ -20,6 +20,10 @@ type setrans_var_run_t;
> files_pid_file(setrans_var_run_t)
> mls_trusted_object(setrans_var_run_t)
>
> +ifdef(`distro_debian',`
> + init_daemon_run_dir(setrans_var_run_t, "setrans")
> +')
> +
> ifdef(`enable_mcs',`
> init_ranged_daemon_domain(setrans_t, setrans_exec_t, s0 - mcs_systemhigh)
> ')
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (30 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 32/39] sshd/setrans: make respective init scripts create pid dirs with proper contexts Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-03 13:52 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: Dominick Grift
` (6 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/kernel/kernel.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index dd1e7e7..d7a9b47 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
# connections with invalidated labels:
allow kernel_t unlabeled_t:packet send;
+kernel_request_load_module(kernel_t)
+
# Allow unlabeled network traffic
allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
corenet_in_generic_if(unlabeled_t)
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni
2013-11-09 9:45 ` [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni Dominick Grift
@ 2013-12-03 13:52 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:52 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/kernel/kernel.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index dd1e7e7..d7a9b47 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -228,6 +228,8 @@ allow kernel_t unlabeled_t:dir mounton;
> # connections with invalidated labels:
> allow kernel_t unlabeled_t:packet send;
>
> +kernel_request_load_module(kernel_t)
> +
> # Allow unlabeled network traffic
> allow unlabeled_t unlabeled_t:packet { forward_in forward_out };
> corenet_in_generic_if(unlabeled_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces:
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (31 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 33/39] kernel: cryptomgr_test (kernel_t) requests kernel to load cryptd(__driver-ecb-aes-aesni Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-20 19:56 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t Dominick Grift
` (5 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
1. device_t type was used but not required
2. the interface name suggest all dev files and that includes device_t
chr/blk files as well. If the interface name would say all_dev_nodes
then it would have been a different story
In debian kernel needs to set attributes of generic device_t blk files
(/dev/dm-.*) Some how theyre created with generic device_t
In debian kernel needs to create, and set attributes of atleast the chr
files that i added named file transtion rules for but i added
permissions to kernel to create and set attributes of any chr file in
/dev ( that includes generic device_t type chr files
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/kernel/devices.if | 12 ++++++++----
policy/modules/kernel/kernel.te | 4 ++++
2 files changed, 12 insertions(+), 4 deletions(-)
diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
index 147170a..afcc522 100644
--- a/policy/modules/kernel/devices.if
+++ b/policy/modules/kernel/devices.if
@@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
interface(`dev_setattr_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- setattr_blk_files_pattern($1, device_t, device_node)
+ setattr_blk_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
interface(`dev_setattr_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- setattr_chr_files_pattern($1, device_t, device_node)
+ setattr_chr_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
interface(`dev_create_all_blk_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- create_blk_files_pattern($1, device_t, device_node)
+ create_blk_files_pattern($1, device_t, { device_node device_t })
')
########################################
@@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
interface(`dev_create_all_chr_files',`
gen_require(`
attribute device_node;
+ type device_t;
')
- create_chr_files_pattern($1, device_t, device_node)
+ create_chr_files_pattern($1, device_t, { device_node device_t })
')
########################################
diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
index d7a9b47..b9d6a3a 100644
--- a/policy/modules/kernel/kernel.te
+++ b/policy/modules/kernel/kernel.te
@@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
mls_file_read_all_levels(kernel_t)
ifdef(`distro_debian',`
+ dev_create_all_chr_files(kernel_t)
+ dev_setattr_all_blk_files(kernel_t)
+ dev_setattr_all_chr_files(kernel_t)
+
dev_filetrans_input(kernel_t, "event0")
dev_filetrans_input(kernel_t, "event1")
dev_filetrans_input(kernel_t, "event2")
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces:
2013-11-09 9:45 ` [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: Dominick Grift
@ 2013-12-20 19:56 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-20 19:56 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> 1. device_t type was used but not required
> 2. the interface name suggest all dev files and that includes device_t
> chr/blk files as well. If the interface name would say all_dev_nodes
> then it would have been a different story
>
> In debian kernel needs to set attributes of generic device_t blk files
> (/dev/dm-.*) Some how theyre created with generic device_t
>
> In debian kernel needs to create, and set attributes of atleast the chr
> files that i added named file transtion rules for but i added
> permissions to kernel to create and set attributes of any chr file in
> /dev ( that includes generic device_t type chr files
Fails to apply for me.
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/kernel/devices.if | 12 ++++++++----
> policy/modules/kernel/kernel.te | 4 ++++
> 2 files changed, 12 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/kernel/devices.if b/policy/modules/kernel/devices.if
> index 147170a..afcc522 100644
> --- a/policy/modules/kernel/devices.if
> +++ b/policy/modules/kernel/devices.if
> @@ -1072,9 +1072,10 @@ interface(`dev_dontaudit_getattr_all_chr_files',`
> interface(`dev_setattr_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_blk_files_pattern($1, device_t, device_node)
> + setattr_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1091,9 +1092,10 @@ interface(`dev_setattr_all_blk_files',`
> interface(`dev_setattr_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - setattr_chr_files_pattern($1, device_t, device_node)
> + setattr_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1181,9 +1183,10 @@ interface(`dev_dontaudit_write_all_chr_files',`
> interface(`dev_create_all_blk_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_blk_files_pattern($1, device_t, device_node)
> + create_blk_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> @@ -1199,9 +1202,10 @@ interface(`dev_create_all_blk_files',`
> interface(`dev_create_all_chr_files',`
> gen_require(`
> attribute device_node;
> + type device_t;
> ')
>
> - create_chr_files_pattern($1, device_t, device_node)
> + create_chr_files_pattern($1, device_t, { device_node device_t })
> ')
>
> ########################################
> diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te
> index d7a9b47..b9d6a3a 100644
> --- a/policy/modules/kernel/kernel.te
> +++ b/policy/modules/kernel/kernel.te
> @@ -288,6 +288,10 @@ mls_file_write_all_levels(kernel_t)
> mls_file_read_all_levels(kernel_t)
>
> ifdef(`distro_debian',`
> + dev_create_all_chr_files(kernel_t)
> + dev_setattr_all_blk_files(kernel_t)
> + dev_setattr_all_chr_files(kernel_t)
> +
> dev_filetrans_input(kernel_t, "event0")
> dev_filetrans_input(kernel_t, "event1")
> dev_filetrans_input(kernel_t, "event2")
>
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (32 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 34/39] kernel: Edited the dev_(create|setattr)_all_(chr|blk)_files() interfaces: Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-06 14:50 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 36/39] init: creates /run/utmp Dominick Grift
` (4 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/roles/staff.te | 4 ++++
policy/modules/roles/unprivuser.te | 4 ++++
policy/modules/system/userdomain.if | 4 ++++
3 files changed, 12 insertions(+)
diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
index 0fef1fc..5fd339b 100644
--- a/policy/modules/roles/staff.te
+++ b/policy/modules/roles/staff.te
@@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(staff, staff_r, staff_t)
')
+
+ optional_policy(`
+ pulseaudio_role(staff_r, staff_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
index 6d77e81..acc9ff7 100644
--- a/policy/modules/roles/unprivuser.te
+++ b/policy/modules/roles/unprivuser.te
@@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
optional_policy(`
gnome_role_template(user, user_r, user_t)
')
+
+ optional_policy(`
+ pulseaudio_role(user_r, user_t)
+ ')
')
optional_policy(`
diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
index 189f786..dc03698 100644
--- a/policy/modules/system/userdomain.if
+++ b/policy/modules/system/userdomain.if
@@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
gnome_role_template($1, $1_r, $1_t)
wm_role_template($1, $1_r, $1_t)
')
+
+ optional_policy(`
+ pulseaudio_role($1_r, $1_t)
+ ')
')
optional_policy(`
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t
2013-11-09 9:45 ` [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t Dominick Grift
@ 2013-12-06 14:50 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-06 14:50 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/roles/staff.te | 4 ++++
> policy/modules/roles/unprivuser.te | 4 ++++
> policy/modules/system/userdomain.if | 4 ++++
> 3 files changed, 12 insertions(+)
>
> diff --git a/policy/modules/roles/staff.te b/policy/modules/roles/staff.te
> index 0fef1fc..5fd339b 100644
> --- a/policy/modules/roles/staff.te
> +++ b/policy/modules/roles/staff.te
> @@ -82,6 +82,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(staff, staff_r, staff_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(staff_r, staff_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/roles/unprivuser.te b/policy/modules/roles/unprivuser.te
> index 6d77e81..acc9ff7 100644
> --- a/policy/modules/roles/unprivuser.te
> +++ b/policy/modules/roles/unprivuser.te
> @@ -55,6 +55,10 @@ ifndef(`distro_redhat',`
> optional_policy(`
> gnome_role_template(user, user_r, user_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role(user_r, user_t)
> + ')
> ')
>
> optional_policy(`
> diff --git a/policy/modules/system/userdomain.if b/policy/modules/system/userdomain.if
> index 189f786..dc03698 100644
> --- a/policy/modules/system/userdomain.if
> +++ b/policy/modules/system/userdomain.if
> @@ -946,6 +946,10 @@ template(`userdom_restricted_xwindows_user_template',`
> gnome_role_template($1, $1_r, $1_t)
> wm_role_template($1, $1_r, $1_t)
> ')
> +
> + optional_policy(`
> + pulseaudio_role($1_r, $1_t)
> + ')
> ')
>
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 36/39] init: creates /run/utmp
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (33 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 35/39] users: calls pulseaudio_role() for restricted xwindows users and staff_t/user_t Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-10 15:41 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t) Dominick Grift
` (3 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/init.te | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
index cd97c98..95f2284 100644
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
ifdef(`distro_debian',`
fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
+
+allow init_t initrc_var_run_t:file manage_file_perms;
fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
')
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 36/39] init: creates /run/utmp
2013-11-09 9:45 ` [refpolicy] [PATCH 36/39] init: creates /run/utmp Dominick Grift
@ 2013-12-10 15:41 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-10 15:41 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/init.te | 2 ++
> 1 file changed, 2 insertions(+)
>
> diff --git a/policy/modules/system/init.te b/policy/modules/system/init.te
> index cd97c98..95f2284 100644
> --- a/policy/modules/system/init.te
> +++ b/policy/modules/system/init.te
> @@ -181,6 +181,8 @@ miscfiles_read_localization(init_t)
>
> ifdef(`distro_debian',`
> fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl")
> +
> +allow init_t initrc_var_run_t:file manage_file_perms;
> fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp")
> ')
Merged manually due to a whitespace fix on the prior patch.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t)
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (34 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 36/39] init: creates /run/utmp Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-03 13:52 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 38/39] xserver: review this Dominick Grift
` (2 subsequent siblings)
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/services/xserver.te | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index 8b40377..a7faaad 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -301,7 +301,7 @@ optional_policy(`
#
allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
-allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
+allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
allow xdm_t self:fifo_file rw_fifo_file_perms;
allow xdm_t self:shm create_shm_perms;
allow xdm_t self:sem create_sem_perms;
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t)
2013-11-09 9:45 ` [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t) Dominick Grift
@ 2013-12-03 13:52 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:52 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/services/xserver.te | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index 8b40377..a7faaad 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -301,7 +301,7 @@ optional_policy(`
> #
>
> allow xdm_t self:capability { setgid setuid sys_resource kill sys_tty_config mknod chown dac_override dac_read_search fowner fsetid ipc_owner sys_nice sys_rawio net_bind_service };
> -allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms setkeycreate };
> +allow xdm_t self:process { setexec setpgid getsched setsched setrlimit signal_perms };
> allow xdm_t self:fifo_file rw_fifo_file_perms;
> allow xdm_t self:shm create_shm_perms;
> allow xdm_t self:sem create_sem_perms;
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 38/39] xserver: review this
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (35 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 37/39] xserver: already allowed by auth_login_pgm_domain(xdm_t) Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-05 14:21 ` Christopher J. PeBenito
2013-11-09 9:45 ` [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) Dominick Grift
2013-12-03 13:46 ` [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Christopher J. PeBenito
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/services/xserver.te | 8 ++++----
1 file changed, 4 insertions(+), 4 deletions(-)
diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
index a7faaad..2ae8acb 100644
--- a/policy/modules/services/xserver.te
+++ b/policy/modules/services/xserver.te
@@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
xserver_use_user_fonts(xserver_t)
-ifndef(`distro_redhat',`
- allow xserver_t self:process { execmem execheap execstack };
- domain_mmap_low_uncond(xserver_t)
-')
+# ifndef(`distro_redhat',`
+# allow xserver_t self:process { execmem execheap execstack };
+# domain_mmap_low_uncond(xserver_t)
+# ')
ifdef(`distro_rhel4',`
allow xserver_t self:process { execmem execheap execstack };
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 38/39] xserver: review this
2013-11-09 9:45 ` [refpolicy] [PATCH 38/39] xserver: review this Dominick Grift
@ 2013-12-05 14:21 ` Christopher J. PeBenito
2013-12-05 14:24 ` Daniel J Walsh
2013-12-06 16:22 ` Sven Vermeulen
0 siblings, 2 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-05 14:21 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/services/xserver.te | 8 ++++----
> 1 file changed, 4 insertions(+), 4 deletions(-)
>
> diff --git a/policy/modules/services/xserver.te b/policy/modules/services/xserver.te
> index a7faaad..2ae8acb 100644
> --- a/policy/modules/services/xserver.te
> +++ b/policy/modules/services/xserver.te
> @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
>
> xserver_use_user_fonts(xserver_t)
>
> -ifndef(`distro_redhat',`
> - allow xserver_t self:process { execmem execheap execstack };
> - domain_mmap_low_uncond(xserver_t)
> -')
> +# ifndef(`distro_redhat',`
> +# allow xserver_t self:process { execmem execheap execstack };
> +# domain_mmap_low_uncond(xserver_t)
> +# ')
>
> ifdef(`distro_rhel4',`
> allow xserver_t self:process { execmem execheap execstack };
>
I suspect this can be removed, not just commented out. Sven, can you confirm on Gentoo?
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 38/39] xserver: review this
2013-12-05 14:21 ` Christopher J. PeBenito
@ 2013-12-05 14:24 ` Daniel J Walsh
2013-12-06 16:22 ` Sven Vermeulen
1 sibling, 0 replies; 89+ messages in thread
From: Daniel J Walsh @ 2013-12-05 14:24 UTC (permalink / raw)
To: refpolicy
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 12/05/2013 09:21 AM, Christopher J. PeBenito wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
>> Signed-off-by: Dominick Grift <dominick.grift@gmail.com> ---
>> policy/modules/services/xserver.te | 8 ++++---- 1 file changed, 4
>> insertions(+), 4 deletions(-)
>>
>> diff --git a/policy/modules/services/xserver.te
>> b/policy/modules/services/xserver.te index a7faaad..2ae8acb 100644 ---
>> a/policy/modules/services/xserver.te +++
>> b/policy/modules/services/xserver.te @@ -741,10 +741,10 @@
>> userdom_rw_user_tmpfs_files(xserver_t)
>>
>> xserver_use_user_fonts(xserver_t)
>>
>> -ifndef(`distro_redhat',` - allow xserver_t self:process { execmem
>> execheap execstack }; - domain_mmap_low_uncond(xserver_t) -') +#
>> ifndef(`distro_redhat',` +# allow xserver_t self:process { execmem
>> execheap execstack }; +# domain_mmap_low_uncond(xserver_t) +# ')
>>
>> ifdef(`distro_rhel4',` allow xserver_t self:process { execmem execheap
>> execstack };
>>
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
Yes just remove it.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.15 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
iEYEARECAAYFAlKgjKEACgkQrlYvE4MpobMu3gCfTnyROmzZDASGXSFwLRShAh+M
ulAAn30rmZ8uS+vMFVVADisay/CnTfh9
=rxIQ
-----END PGP SIGNATURE-----
^ permalink raw reply [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 38/39] xserver: review this
2013-12-05 14:21 ` Christopher J. PeBenito
2013-12-05 14:24 ` Daniel J Walsh
@ 2013-12-06 16:22 ` Sven Vermeulen
2013-12-06 16:32 ` Dominick Grift
1 sibling, 1 reply; 89+ messages in thread
From: Sven Vermeulen @ 2013-12-06 16:22 UTC (permalink / raw)
To: refpolicy
I auditallow'ed the statements to see if they were triggered during a
normal x session (startup, some spps, shutdown) and they were not, so ok to
remove.
On Dec 5, 2013 3:22 PM, "Christopher J. PeBenito" <cpebenito@tresys.com>
wrote:
> On 11/09/13 04:45, Dominick Grift wrote:
> > Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> > ---
> > policy/modules/services/xserver.te | 8 ++++----
> > 1 file changed, 4 insertions(+), 4 deletions(-)
> >
> > diff --git a/policy/modules/services/xserver.te
> b/policy/modules/services/xserver.te
> > index a7faaad..2ae8acb 100644
> > --- a/policy/modules/services/xserver.te
> > +++ b/policy/modules/services/xserver.te
> > @@ -741,10 +741,10 @@ userdom_rw_user_tmpfs_files(xserver_t)
> >
> > xserver_use_user_fonts(xserver_t)
> >
> > -ifndef(`distro_redhat',`
> > - allow xserver_t self:process { execmem execheap execstack };
> > - domain_mmap_low_uncond(xserver_t)
> > -')
> > +# ifndef(`distro_redhat',`
> > +# allow xserver_t self:process { execmem execheap execstack };
> > +# domain_mmap_low_uncond(xserver_t)
> > +# ')
> >
> > ifdef(`distro_rhel4',`
> > allow xserver_t self:process { execmem execheap execstack };
> >
>
> I suspect this can be removed, not just commented out. Sven, can you
> confirm on Gentoo?
>
> --
> Chris PeBenito
> Tresys Technology, LLC
> www.tresys.com | oss.tresys.com
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/refpolicy/attachments/20131206/f55466a5/attachment.html
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (36 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 38/39] xserver: review this Dominick Grift
@ 2013-11-09 9:45 ` Dominick Grift
2013-12-03 13:53 ` Christopher J. PeBenito
2013-12-03 13:46 ` [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Christopher J. PeBenito
38 siblings, 1 reply; 89+ messages in thread
From: Dominick Grift @ 2013-11-09 9:45 UTC (permalink / raw)
To: refpolicy
It would not be sufficient in the current shape anyways because
unconfined_r is not associated with xserver_t
Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
---
policy/modules/system/unconfined.te | 4 ----
1 file changed, 4 deletions(-)
diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
index 4e4a4c5..bb1696d 100644
--- a/policy/modules/system/unconfined.te
+++ b/policy/modules/system/unconfined.te
@@ -198,10 +198,6 @@ optional_policy(`
wine_domtrans(unconfined_t)
')
-optional_policy(`
- xserver_domtrans(unconfined_t)
-')
-
########################################
#
# Unconfined Execmem Local policy
--
1.8.3.1
^ permalink raw reply related [flat|nested] 89+ messages in thread* [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined)
2013-11-09 9:45 ` [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) Dominick Grift
@ 2013-12-03 13:53 ` Christopher J. PeBenito
0 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:53 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:45, Dominick Grift wrote:
> It would not be sufficient in the current shape anyways because
> unconfined_r is not associated with xserver_t
>
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/unconfined.te | 4 ----
> 1 file changed, 4 deletions(-)
>
> diff --git a/policy/modules/system/unconfined.te b/policy/modules/system/unconfined.te
> index 4e4a4c5..bb1696d 100644
> --- a/policy/modules/system/unconfined.te
> +++ b/policy/modules/system/unconfined.te
> @@ -198,10 +198,6 @@ optional_policy(`
> wine_domtrans(unconfined_t)
> ')
>
> -optional_policy(`
> - xserver_domtrans(unconfined_t)
> -')
> -
> ########################################
> #
> # Unconfined Execmem Local policy
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread
* [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints()
2013-11-09 9:44 [refpolicy] [PATCH 01/39] mount: fs_list_auto_mountpoint() is now redundant because autofs_t is covered by files_list_all_mountpoints() Dominick Grift
` (37 preceding siblings ...)
2013-11-09 9:45 ` [refpolicy] [PATCH 39/39] unconfined: Do not domain transition to xserver_t (unconfined_t is xserver_unconfined) Dominick Grift
@ 2013-12-03 13:46 ` Christopher J. PeBenito
38 siblings, 0 replies; 89+ messages in thread
From: Christopher J. PeBenito @ 2013-12-03 13:46 UTC (permalink / raw)
To: refpolicy
On 11/09/13 04:44, Dominick Grift wrote:
> Signed-off-by: Dominick Grift <dominick.grift@gmail.com>
> ---
> policy/modules/system/mount.te | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/policy/modules/system/mount.te b/policy/modules/system/mount.te
> index 459a0ef..ea1016d 100644
> --- a/policy/modules/system/mount.te
> +++ b/policy/modules/system/mount.te
> @@ -107,7 +107,6 @@ fs_mount_all_fs(mount_t)
> fs_unmount_all_fs(mount_t)
> fs_remount_all_fs(mount_t)
> fs_relabelfrom_all_fs(mount_t)
> -fs_list_auto_mountpoints(mount_t)
> fs_rw_tmpfs_chr_files(mount_t)
> fs_read_tmpfs_symlinks(mount_t)
> fs_dontaudit_write_tmpfs_dirs(mount_t)
Merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 89+ messages in thread