* [refpolicy] [PATCH v2 0/8] Some simple core policy updates
@ 2014-11-22 21:16 Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 1/8] Run grub(2)-mkconfig in bootloader domain Sven Vermeulen
` (8 more replies)
0 siblings, 9 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.
Added the auth_pid_filetrans_pam_var_run as Nicolas Iooss correctly found; shame that I missed it, I checked it against the wrong repository :(
Sven Vermeulen (8):
Run grub(2)-mkconfig in bootloader domain
Add auth_pid_filetrans_pam_var_run
New sudo manages timestamp directory in /var/run/sudo
xfce4-notifyd is an executable
Mark f2fs as a SELinux capable file system
Add in LightDM contexts
Add gfisk and efibootmgr as fsadm_exec_t
Add /var/lib/racoon as runtime directory for ipsec
policy/modules/admin/bootloader.fc | 1 +
policy/modules/admin/sudo.if | 3 ++-
policy/modules/kernel/corecommands.fc | 1 +
policy/modules/kernel/filesystem.te | 1 +
policy/modules/services/xserver.fc | 7 +++++++
policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
policy/modules/system/fstools.fc | 2 ++
policy/modules/system/ipsec.fc | 2 ++
8 files changed, 47 insertions(+), 1 deletion(-)
--
2.0.4
^ permalink raw reply [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 1/8] Run grub(2)-mkconfig in bootloader domain
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 2/8] Add auth_pid_filetrans_pam_var_run Sven Vermeulen
` (7 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
In order to write the grub configuration and perform the preliminary
checks, the grub-mkconfig command should run in the bootloader_t domain.
As such, update the file context definition to be bootloader_exec_t.
---
policy/modules/admin/bootloader.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/admin/bootloader.fc b/policy/modules/admin/bootloader.fc
index d56f931..d908d56 100644
--- a/policy/modules/admin/bootloader.fc
+++ b/policy/modules/admin/bootloader.fc
@@ -9,4 +9,5 @@
/usr/sbin/grub -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-bios-setup -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-install -- gen_context(system_u:object_r:bootloader_exec_t,s0)
+/usr/sbin/grub2?-mkconfig -- gen_context(system_u:object_r:bootloader_exec_t,s0)
/usr/sbin/grub2?-probe -- gen_context(system_u:object_r:bootloader_exec_t,s0)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 2/8] Add auth_pid_filetrans_pam_var_run
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 1/8] Run grub(2)-mkconfig in bootloader domain Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 3/8] New sudo manages timestamp directory in /var/run/sudo Sven Vermeulen
` (6 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
1 file changed, 31 insertions(+)
diff --git a/policy/modules/system/authlogin.if b/policy/modules/system/authlogin.if
index 3efd5b6..f05d7bf 100644
--- a/policy/modules/system/authlogin.if
+++ b/policy/modules/system/authlogin.if
@@ -1004,6 +1004,37 @@ interface(`auth_dontaudit_read_pam_pid',`
########################################
## <summary>
+## Create specified objects in
+## pid directories with the pam var
+## run file type using a
+## file type transition.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <param name="object_class">
+## <summary>
+## Class of the object being created.
+## </summary>
+## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
+#
+interface(`auth_pid_filetrans_pam_var_run',`
+ gen_require(`
+ type pam_var_run_t;
+ ')
+
+ files_pid_filetrans($1, pam_var_run_t, $2, $3)
+')
+
+########################################
+## <summary>
## Delete pam PID files.
## </summary>
## <param name="domain">
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 3/8] New sudo manages timestamp directory in /var/run/sudo
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 1/8] Run grub(2)-mkconfig in bootloader domain Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 2/8] Add auth_pid_filetrans_pam_var_run Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 4/8] xfce4-notifyd is an executable Sven Vermeulen
` (5 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
Allow sudo (1.8.9_p5 and higher) to handle /var/run/sudo/ts if it does
not exist (given the tmpfs nature of /var/run). This is done when sudo
is run in the user prefixed domain, and requires both the chown
capability as well as the proper file transition when /var/run/sudo is
created.
---
policy/modules/admin/sudo.if | 3 ++-
1 file changed, 2 insertions(+), 1 deletion(-)
diff --git a/policy/modules/admin/sudo.if b/policy/modules/admin/sudo.if
index d9114b3..2ee052b 100644
--- a/policy/modules/admin/sudo.if
+++ b/policy/modules/admin/sudo.if
@@ -52,7 +52,7 @@ template(`sudo_role_template',`
#
# Use capabilities.
- allow $1_sudo_t self:capability { fowner setuid setgid dac_override sys_nice sys_resource };
+ allow $1_sudo_t self:capability { chown fowner setuid setgid dac_override sys_nice sys_resource };
allow $1_sudo_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
allow $1_sudo_t self:process { setexec setrlimit };
allow $1_sudo_t self:fd use;
@@ -117,6 +117,7 @@ template(`sudo_role_template',`
auth_run_chk_passwd($1_sudo_t, $2)
# sudo stores a token in the pam_pid directory
auth_manage_pam_pid($1_sudo_t)
+ auth_pid_filetrans_pam_var_run($1_sudo_t, dir, "sudo")
auth_use_nsswitch($1_sudo_t)
init_rw_utmp($1_sudo_t)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 4/8] xfce4-notifyd is an executable
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (2 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 3/8] New sudo manages timestamp directory in /var/run/sudo Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 5/8] Mark f2fs as a SELinux capable file system Sven Vermeulen
` (4 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
---
policy/modules/kernel/corecommands.fc | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/corecommands.fc b/policy/modules/kernel/corecommands.fc
index c860d81..958fad7 100644
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -239,6 +239,7 @@ ifdef(`distro_gentoo',`
/usr/lib/vte/gnome-pty-helper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-compose-mail-1 -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/exo-1/exo-helper-1 -- gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/xfce4/notifyd/xfce4-notifyd -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/migrate -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/panel/wrapper -- gen_context(system_u:object_r:bin_t,s0)
/usr/lib/xfce4/session/balou-export-theme -- gen_context(system_u:object_r:bin_t,s0)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 5/8] Mark f2fs as a SELinux capable file system
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (3 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 4/8] xfce4-notifyd is an executable Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 6/8] Add in LightDM contexts Sven Vermeulen
` (3 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
Since Linux kernel 3.11, F2FS supports XATTR and the security namespace.
See commit
https://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.git/commit/?id=8ae8f1627f39bae505b90cade50cd8a911b8bda6
---
policy/modules/kernel/filesystem.te | 1 +
1 file changed, 1 insertion(+)
diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te
index cf04fb7..fd1e7fe 100644
--- a/policy/modules/kernel/filesystem.te
+++ b/policy/modules/kernel/filesystem.te
@@ -27,6 +27,7 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext3 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr ext4dev gen_context(system_u:object_r:fs_t,s0);
+fs_use_xattr f2fs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gfs2 gen_context(system_u:object_r:fs_t,s0);
fs_use_xattr gpfs gen_context(system_u:object_r:fs_t,s0);
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 6/8] Add in LightDM contexts
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (4 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 5/8] Mark f2fs as a SELinux capable file system Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 7/8] Add gfisk and efibootmgr as fsadm_exec_t Sven Vermeulen
` (2 subsequent siblings)
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
---
policy/modules/services/xserver.fc | 7 +++++++
1 file changed, 7 insertions(+)
diff --git a/policy/modules/services/xserver.fc b/policy/modules/services/xserver.fc
index 3fe4eef..71b307c 100644
--- a/policy/modules/services/xserver.fc
+++ b/policy/modules/services/xserver.fc
@@ -22,6 +22,8 @@ HOME_DIR/\.Xauthority.* -- gen_context(system_u:object_r:xauth_home_t,s0)
/etc/gdm(3)?/PreSession/.* -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/gdm(3)?/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+/etc/lightdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
+
/etc/kde[34]?/kdm/Xstartup -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xreset -- gen_context(system_u:object_r:xsession_exec_t,s0)
/etc/kde[34]?/kdm/Xsession -- gen_context(system_u:object_r:xsession_exec_t,s0)
@@ -92,12 +94,16 @@ ifndef(`distro_debian',`
/var/[xgkw]dm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
+/var/cache/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+
/var/lib/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
+/var/lib/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/[xkw]dm(/.*)? gen_context(system_u:object_r:xdm_var_lib_t,s0)
/var/lib/xkb(/.*)? gen_context(system_u:object_r:xkb_var_lib_t,s0)
/var/log/[kwx]dm\.log.* -- gen_context(system_u:object_r:xserver_log_t,s0)
+/var/log/lightdm(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/lxdm\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/gdm(3)?(/.*)? gen_context(system_u:object_r:xserver_log_t,s0)
/var/log/slim\.log -- gen_context(system_u:object_r:xserver_log_t,s0)
@@ -107,6 +113,7 @@ ifndef(`distro_debian',`
/var/run/gdm(3)?(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/gdm(3)?\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/xdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
+/var/run/lightdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.auth -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm\.pid -- gen_context(system_u:object_r:xdm_var_run_t,s0)
/var/run/lxdm(/.*)? gen_context(system_u:object_r:xdm_var_run_t,s0)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 7/8] Add gfisk and efibootmgr as fsadm_exec_t
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (5 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 6/8] Add in LightDM contexts Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 8/8] Add /var/lib/racoon as runtime directory for ipsec Sven Vermeulen
2014-12-02 15:31 ` [refpolicy] [PATCH v2 0/8] Some simple core policy updates Christopher J. PeBenito
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/fstools.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/fstools.fc b/policy/modules/system/fstools.fc
index 3101274..d10368d 100644
--- a/policy/modules/system/fstools.fc
+++ b/policy/modules/system/fstools.fc
@@ -51,8 +51,10 @@
/usr/sbin/addpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/clubufflush -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/delpart -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/efibootmgr -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fatsort -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/fsck.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
+/usr/sbin/gdisk -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/mkfs.* -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/parted -- gen_context(system_u:object_r:fsadm_exec_t,s0)
/usr/sbin/partprobe -- gen_context(system_u:object_r:fsadm_exec_t,s0)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 8/8] Add /var/lib/racoon as runtime directory for ipsec
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (6 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 7/8] Add gfisk and efibootmgr as fsadm_exec_t Sven Vermeulen
@ 2014-11-22 21:16 ` Sven Vermeulen
2014-12-02 15:31 ` [refpolicy] [PATCH v2 0/8] Some simple core policy updates Christopher J. PeBenito
8 siblings, 0 replies; 10+ messages in thread
From: Sven Vermeulen @ 2014-11-22 21:16 UTC (permalink / raw)
To: refpolicy
---
policy/modules/system/ipsec.fc | 2 ++
1 file changed, 2 insertions(+)
diff --git a/policy/modules/system/ipsec.fc b/policy/modules/system/ipsec.fc
index 662e79b..0f1e351 100644
--- a/policy/modules/system/ipsec.fc
+++ b/policy/modules/system/ipsec.fc
@@ -31,6 +31,8 @@
/usr/sbin/racoon -- gen_context(system_u:object_r:racoon_exec_t,s0)
/usr/sbin/setkey -- gen_context(system_u:object_r:setkey_exec_t,s0)
+/var/lib/racoon(/.*)? gen_context(system_u:object_r:ipsec_var_run_t,s0)
+
/var/lock/subsys/ipsec -- gen_context(system_u:object_r:ipsec_mgmt_lock_t,s0)
/var/log/pluto\.log -- gen_context(system_u:object_r:ipsec_log_t,s0)
--
2.0.4
^ permalink raw reply related [flat|nested] 10+ messages in thread
* [refpolicy] [PATCH v2 0/8] Some simple core policy updates
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
` (7 preceding siblings ...)
2014-11-22 21:16 ` [refpolicy] [PATCH v2 8/8] Add /var/lib/racoon as runtime directory for ipsec Sven Vermeulen
@ 2014-12-02 15:31 ` Christopher J. PeBenito
8 siblings, 0 replies; 10+ messages in thread
From: Christopher J. PeBenito @ 2014-12-02 15:31 UTC (permalink / raw)
To: refpolicy
On 11/22/2014 4:16 PM, Sven Vermeulen wrote:
> This is a small set of policy updates that have been in the Gentoo policy for a while and are ready for upstreaming.
>
> Added the auth_pid_filetrans_pam_var_run as Nicolas Iooss correctly found; shame that I missed it, I checked it against the wrong repository :(
>
> Sven Vermeulen (8):
> Run grub(2)-mkconfig in bootloader domain
> Add auth_pid_filetrans_pam_var_run
> New sudo manages timestamp directory in /var/run/sudo
> xfce4-notifyd is an executable
> Mark f2fs as a SELinux capable file system
> Add in LightDM contexts
> Add gfisk and efibootmgr as fsadm_exec_t
> Add /var/lib/racoon as runtime directory for ipsec
>
> policy/modules/admin/bootloader.fc | 1 +
> policy/modules/admin/sudo.if | 3 ++-
> policy/modules/kernel/corecommands.fc | 1 +
> policy/modules/kernel/filesystem.te | 1 +
> policy/modules/services/xserver.fc | 7 +++++++
> policy/modules/system/authlogin.if | 31 +++++++++++++++++++++++++++++++
> policy/modules/system/fstools.fc | 2 ++
> policy/modules/system/ipsec.fc | 2 ++
> 8 files changed, 47 insertions(+), 1 deletion(-)
This set is merged.
--
Chris PeBenito
Tresys Technology, LLC
www.tresys.com | oss.tresys.com
^ permalink raw reply [flat|nested] 10+ messages in thread
end of thread, other threads:[~2014-12-02 15:31 UTC | newest]
Thread overview: 10+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2014-11-22 21:16 [refpolicy] [PATCH v2 0/8] Some simple core policy updates Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 1/8] Run grub(2)-mkconfig in bootloader domain Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 2/8] Add auth_pid_filetrans_pam_var_run Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 3/8] New sudo manages timestamp directory in /var/run/sudo Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 4/8] xfce4-notifyd is an executable Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 5/8] Mark f2fs as a SELinux capable file system Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 6/8] Add in LightDM contexts Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 7/8] Add gfisk and efibootmgr as fsadm_exec_t Sven Vermeulen
2014-11-22 21:16 ` [refpolicy] [PATCH v2 8/8] Add /var/lib/racoon as runtime directory for ipsec Sven Vermeulen
2014-12-02 15:31 ` [refpolicy] [PATCH v2 0/8] Some simple core policy updates Christopher J. PeBenito
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.