From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc services patches with changes Dominick and Chris wanted
Date: Wed, 27 Jan 2021 14:15:50 +1100 [thread overview]
Message-ID: <YBDa5ga6QMQtfoVH@xev> (raw)
I think this one is ready to merge.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210126/policy/modules/services/apache.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/apache.fc
+++ refpolicy-2.20210126/policy/modules/services/apache.fc
@@ -80,6 +80,8 @@ HOME_DIR/((www)|(web)|(public_html))(/.*
/usr/sbin/httpd(\.worker)? -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/lighttpd -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/nginx -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php.*-fpm -- gen_context(system_u:object_r:httpd_exec_t,s0)
+/usr/sbin/php-fpm[^/]+ -- gen_context(system_u:object_r:httpd_exec_t,s0)
/usr/sbin/rotatelogs -- gen_context(system_u:object_r:httpd_rotatelogs_exec_t,s0)
/usr/sbin/suexec -- gen_context(system_u:object_r:httpd_suexec_exec_t,s0)
/usr/sbin/wigwam -- gen_context(system_u:object_r:httpd_exec_t,s0)
@@ -144,7 +146,7 @@ ifdef(`distro_suse',`
/var/lib/php/session(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/var/lib/pootle/po(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/rt3/data/RT-Shredder(/.*)? gen_context(system_u:object_r:httpd_var_lib_t,s0)
-/var/lib/squirrelmail/prefs(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
+/var/lib/squirrelmail(/.*)? gen_context(system_u:object_r:httpd_squirrelmail_t,s0)
/var/lib/stickshift/\.httpd\.d(/.*)? gen_context(system_u:object_r:httpd_config_t,s0)
/var/lib/svn(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
/var/lib/trac(/.*)? gen_context(system_u:object_r:httpd_sys_content_t,s0)
@@ -170,6 +172,7 @@ ifdef(`distro_suse',`
/var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
/var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
+/var/log/php7..-fpm.log -- gen_context(system_u:object_r:httpd_log_t,s0)
/run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
@@ -178,6 +181,7 @@ ifdef(`distro_suse',`
/run/httpd.* gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/lighttpd(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/mod_.* gen_context(system_u:object_r:httpd_runtime_t,s0)
+/run/php(/.*)? gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/wsgi.* -s gen_context(system_u:object_r:httpd_runtime_t,s0)
/run/user/apache(/.*)? gen_context(system_u:object_r:httpd_tmp_t,s0)
Index: refpolicy-2.20210126/policy/modules/services/apache.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/apache.if
+++ refpolicy-2.20210126/policy/modules/services/apache.if
@@ -71,6 +71,7 @@ template(`apache_content_template',`
manage_dirs_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
+ allow httpd_$1_script_t httpd_$1_rw_content_t:file map;
manage_lnk_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_fifo_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
manage_sock_files_pattern(httpd_$1_script_t, httpd_$1_rw_content_t, httpd_$1_rw_content_t)
@@ -97,6 +98,8 @@ template(`apache_content_template',`
tunable_policy(`httpd_enable_cgi && httpd_unified && httpd_builtin_scripting',`
filetrans_pattern(httpd_t, httpd_$1_content_t, httpd_$1_rw_content_t, { file dir fifo_file lnk_file sock_file })
+ allow httpd_t httpd_$1_content_t:file map;
+ allow httpd_t httpd_$1_rw_content_t:file map;
')
')
@@ -1005,6 +1008,7 @@ interface(`apache_manage_sys_rw_content'
apache_search_sys_content($1)
manage_dirs_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
manage_files_pattern($1,httpd_sys_rw_content_t, httpd_sys_rw_content_t)
+ allow $1 httpd_sys_rw_content_t:file map;
manage_lnk_files_pattern($1, httpd_sys_rw_content_t, httpd_sys_rw_content_t)
')
@@ -1132,6 +1136,24 @@ interface(`apache_append_squirrelmail_da
')
########################################
+## <summary>
+## delete httpd squirrelmail spool files.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`apache_delete_squirrelmail_spool',`
+ gen_require(`
+ type squirrelmail_spool_t;
+ ')
+
+ delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
+')
+
+########################################
## <summary>
## Search httpd system content.
## </summary>
Index: refpolicy-2.20210126/policy/modules/services/apache.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/apache.te
+++ refpolicy-2.20210126/policy/modules/services/apache.te
@@ -381,6 +381,7 @@ manage_dirs_pattern(httpd_t, httpd_cache
manage_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
manage_lnk_files_pattern(httpd_t, httpd_cache_t, httpd_cache_t)
files_var_filetrans(httpd_t, httpd_cache_t, dir)
+allow httpd_t httpd_cache_t:file map;
allow httpd_t httpd_config_t:dir list_dir_perms;
read_files_pattern(httpd_t, httpd_config_t, httpd_config_t)
@@ -389,7 +390,7 @@ read_lnk_files_pattern(httpd_t, httpd_co
allow httpd_t httpd_htaccess_type:file read_file_perms;
allow httpd_t httpd_ro_content:dir list_dir_perms;
-allow httpd_t httpd_ro_content:file read_file_perms;
+allow httpd_t httpd_ro_content:file { map read_file_perms };
allow httpd_t httpd_ro_content:lnk_file read_lnk_file_perms;
allow httpd_t httpd_keytab_t:file read_file_perms;
@@ -416,6 +417,7 @@ allow httpd_t httpd_rotatelogs_t:process
manage_dirs_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
manage_lnk_files_pattern(httpd_t, httpd_squirrelmail_t, httpd_squirrelmail_t)
+allow httpd_t httpd_squirrelmail_t:file map;
allow httpd_t httpd_suexec_exec_t:file read_file_perms;
@@ -425,6 +427,7 @@ allow httpd_t httpd_sys_script_t:process
manage_dirs_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
+allow httpd_t httpd_tmp_t:file map;
manage_sock_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
manage_lnk_files_pattern(httpd_t, httpd_tmp_t, httpd_tmp_t)
files_tmp_filetrans(httpd_t, httpd_tmp_t, { file dir lnk_file sock_file })
@@ -439,6 +442,7 @@ fs_tmpfs_filetrans(httpd_t, httpd_tmpfs_
manage_dirs_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
manage_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
+allow httpd_t httpd_var_lib_t:file map;
manage_lnk_files_pattern(httpd_t, httpd_var_lib_t, httpd_var_lib_t)
files_var_lib_filetrans(httpd_t, httpd_var_lib_t, { dir file })
@@ -460,6 +464,7 @@ domtrans_pattern(httpd_t, httpd_rotatelo
domtrans_pattern(httpd_t, httpd_suexec_exec_t, httpd_suexec_t)
kernel_read_kernel_sysctls(httpd_t)
+kernel_read_crypto_sysctls(httpd_t)
kernel_read_vm_sysctls(httpd_t)
kernel_read_vm_overcommit_sysctl(httpd_t)
kernel_read_network_state(httpd_t)
@@ -484,6 +489,7 @@ dev_read_sysfs(httpd_t)
dev_read_rand(httpd_t)
dev_read_urand(httpd_t)
dev_rw_crypto(httpd_t)
+dev_rwx_zero(httpd_t)
domain_use_interactive_fds(httpd_t)
@@ -492,10 +498,12 @@ fs_search_auto_mountpoints(httpd_t)
fs_read_anon_inodefs_files(httpd_t)
fs_rw_inherited_hugetlbfs_files(httpd_t)
+fs_mmap_rw_hugetlbfs_files(httpd_t)
fs_read_iso9660_files(httpd_t)
files_dontaudit_getattr_all_runtime_files(httpd_t)
files_read_usr_files(httpd_t)
+files_map_usr_files(httpd_t)
files_list_mnt(httpd_t)
files_search_spool(httpd_t)
files_read_var_symlinks(httpd_t)
@@ -504,6 +512,7 @@ files_search_home(httpd_t)
files_getattr_home_dir(httpd_t)
files_read_etc_runtime_files(httpd_t)
files_read_var_lib_symlinks(httpd_t)
+files_map_etc_files(httpd_t)
auth_use_nsswitch(httpd_t)
@@ -573,7 +582,7 @@ tunable_policy(`httpd_builtin_scripting'
exec_files_pattern(httpd_t, httpd_script_exec_type, httpd_script_exec_type)
allow httpd_t httpdcontent:dir list_dir_perms;
- allow httpd_t httpdcontent:file read_file_perms;
+ allow httpd_t httpdcontent:file { map read_file_perms };
allow httpd_t httpdcontent:lnk_file read_lnk_file_perms;
allow httpd_t httpd_ra_content:dir { list_dir_perms add_entry_dir_perms setattr_dir_perms };
@@ -614,6 +623,7 @@ tunable_policy(`httpd_enable_cgi && http
manage_dirs_pattern(httpd_t, httpdcontent, httpdcontent)
manage_files_pattern(httpd_t, httpdcontent, httpdcontent)
+ allow httpd_t httpdcontent:file map;
manage_fifo_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_lnk_files_pattern(httpd_t, httpdcontent, httpdcontent)
manage_sock_files_pattern(httpd_t, httpdcontent, httpdcontent)
@@ -899,6 +909,7 @@ optional_policy(`
#
read_files_pattern(httpd_helper_t, httpd_config_t, httpd_config_t)
+allow httpd_t httpd_config_t:file map;
append_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
read_lnk_files_pattern(httpd_helper_t, httpd_log_t, httpd_log_t)
Index: refpolicy-2.20210126/policy/modules/services/aptcacher.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/aptcacher.fc
+++ refpolicy-2.20210126/policy/modules/services/aptcacher.fc
@@ -2,12 +2,15 @@
/usr/lib/apt-cacher-ng/acngtool -- gen_context(system_u:object_r:acngtool_exec_t,s0)
-/usr/sbin/apt-cacher-ng -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/usr/sbin/apt-cacher.* -- gen_context(system_u:object_r:aptcacher_exec_t,s0)
+/run/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
/run/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_runtime_t,s0)
+/var/cache/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/cache/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_cache_t,s0)
/var/lib/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_lib_t,s0)
+/var/log/apt-cacher(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
/var/log/apt-cacher-ng(/.*)? gen_context(system_u:object_r:aptcacher_log_t,s0)
Index: refpolicy-2.20210126/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210126/policy/modules/services/aptcacher.if
@@ -63,3 +63,43 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+######################################
+## <summary>
+## read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file read_file_perms;
+')
+
+######################################
+## <summary>
+## mmap and read aptcacher config
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed to read it.
+## </summary>
+## </param>
+#
+interface(`aptcacher_mmap_read_config',`
+ gen_require(`
+ type aptcacher_etc_t;
+ ')
+
+ files_search_etc($1)
+ allow $1 aptcacher_etc_t:dir list_dir_perms;
+ allow $1 aptcacher_etc_t:file mmap_read_file_perms;
+')
Index: refpolicy-2.20210126/policy/modules/services/aptcacher.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/aptcacher.te
+++ refpolicy-2.20210126/policy/modules/services/aptcacher.te
@@ -75,6 +75,8 @@ corenet_tcp_connect_http_port(aptcacher_
auth_use_nsswitch(aptcacher_t)
+files_read_etc_files(aptcacher_t)
+
# Uses sd_notify() to inform systemd it has properly started
init_dgram_send(aptcacher_t)
Index: refpolicy-2.20210126/policy/modules/services/bind.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/bind.te
+++ refpolicy-2.20210126/policy/modules/services/bind.te
@@ -149,6 +149,7 @@ domain_use_interactive_fds(named_t)
files_read_etc_runtime_files(named_t)
files_read_usr_files(named_t)
+files_map_usr_files(named_t)
fs_getattr_all_fs(named_t)
fs_search_auto_mountpoints(named_t)
Index: refpolicy-2.20210126/policy/modules/services/colord.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/colord.te
+++ refpolicy-2.20210126/policy/modules/services/colord.te
@@ -31,6 +31,8 @@ allow colord_t self:netlink_kobject_ueve
allow colord_t self:tcp_socket { accept listen };
allow colord_t self:shm create_shm_perms;
+can_exec(colord_t, colord_exec_t)
+
manage_dirs_pattern(colord_t, colord_tmp_t, colord_tmp_t)
manage_files_pattern(colord_t, colord_tmp_t, colord_tmp_t)
files_tmp_filetrans(colord_t, colord_tmp_t, { file dir })
@@ -128,6 +130,10 @@ optional_policy(`
')
optional_policy(`
+ snmp_read_snmp_var_lib_files(colord_t)
+')
+
+optional_policy(`
sysnet_exec_ifconfig(colord_t)
')
@@ -136,6 +142,10 @@ optional_policy(`
')
optional_policy(`
+ unconfined_dbus_send(colord_t)
+')
+
+optional_policy(`
xserver_read_xdm_lib_files(colord_t)
xserver_use_xdm_fds(colord_t)
')
Index: refpolicy-2.20210126/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210126/policy/modules/services/cron.te
@@ -304,6 +304,8 @@ init_start_all_units(system_cronjob_t)
init_get_generic_units_status(system_cronjob_t)
init_get_system_status(system_cronjob_t)
+backup_manage_store_files(system_cronjob_t)
+
auth_manage_var_auth(crond_t)
auth_use_pam(crond_t)
@@ -340,6 +342,11 @@ ifdef(`distro_debian',`
')
optional_policy(`
+ aptcacher_mmap_read_config(system_cronjob_t)
+ corenet_tcp_connect_aptcacher_port(system_cronjob_t)
+ ')
+
+ optional_policy(`
logwatch_search_cache_dir(crond_t)
')
')
@@ -427,6 +434,7 @@ optional_policy(`
init_dbus_chat(crond_t)
init_dbus_chat(system_cronjob_t)
systemd_dbus_chat_logind(system_cronjob_t)
+ systemd_read_journal_files(system_cronjob_t)
systemd_write_inherited_logind_sessions_pipes(system_cronjob_t)
# so cron jobs can restart daemons
init_stream_connect(system_cronjob_t)
@@ -497,6 +505,7 @@ corenet_tcp_sendrecv_generic_if(system_c
corenet_udp_sendrecv_generic_if(system_cronjob_t)
corenet_tcp_sendrecv_generic_node(system_cronjob_t)
corenet_udp_sendrecv_generic_node(system_cronjob_t)
+corenet_udp_bind_generic_node(system_cronjob_t)
dev_getattr_all_blk_files(system_cronjob_t)
dev_getattr_all_chr_files(system_cronjob_t)
@@ -579,6 +588,7 @@ optional_policy(`
apache_read_log(system_cronjob_t)
apache_read_sys_content(system_cronjob_t)
apache_delete_lib_files(system_cronjob_t)
+ apache_delete_squirrelmail_spool(system_cronjob_t)
')
optional_policy(`
@@ -651,6 +661,8 @@ optional_policy(`
optional_policy(`
spamassassin_manage_lib_files(system_cronjob_t)
+ spamassassin_status(system_cronjob_t)
+ spamassassin_reload(system_cronjob_t)
')
optional_policy(`
Index: refpolicy-2.20210126/policy/modules/services/cups.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/cups.te
+++ refpolicy-2.20210126/policy/modules/services/cups.te
@@ -111,11 +111,12 @@ ifdef(`enable_mls',`
allow cupsd_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill setgid setuid sys_admin sys_rawio sys_resource sys_tty_config };
dontaudit cupsd_t self:capability { net_admin sys_tty_config };
-allow cupsd_t self:capability2 block_suspend;
+allow cupsd_t self:capability2 { block_suspend wake_alarm };
allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
allow cupsd_t self:fifo_file rw_fifo_file_perms;
allow cupsd_t self:unix_stream_socket { accept connectto listen };
allow cupsd_t self:netlink_selinux_socket create_socket_perms;
+allow cupsd_t self:netlink_kobject_uevent_socket create_socket_perms;
allow cupsd_t self:shm create_shm_perms;
allow cupsd_t self:sem create_sem_perms;
allow cupsd_t self:tcp_socket { accept listen };
Index: refpolicy-2.20210126/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20210126/policy/modules/services/devicekit.te
@@ -131,6 +131,8 @@ fs_mount_all_fs(devicekit_disk_t)
fs_unmount_all_fs(devicekit_disk_t)
fs_search_all(devicekit_disk_t)
+mount_rw_runtime_files(devicekit_disk_t)
+
mls_file_read_all_levels(devicekit_disk_t)
mls_file_write_to_clearance(devicekit_disk_t)
Index: refpolicy-2.20210126/policy/modules/services/entropyd.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/entropyd.te
+++ refpolicy-2.20210126/policy/modules/services/entropyd.te
@@ -55,6 +55,7 @@ files_read_usr_files(entropyd_t)
fs_getattr_all_fs(entropyd_t)
fs_search_auto_mountpoints(entropyd_t)
+fs_search_tmpfs(entropyd_t)
domain_use_interactive_fds(entropyd_t)
Index: refpolicy-2.20210126/policy/modules/services/fail2ban.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/fail2ban.te
+++ refpolicy-2.20210126/policy/modules/services/fail2ban.te
@@ -63,6 +63,7 @@ manage_files_pattern(fail2ban_t, fail2ba
files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
kernel_read_system_state(fail2ban_t)
+kernel_search_fs_sysctls(fail2ban_t)
corecmd_exec_bin(fail2ban_t)
corecmd_exec_shell(fail2ban_t)
@@ -90,6 +91,7 @@ fs_getattr_all_fs(fail2ban_t)
auth_use_nsswitch(fail2ban_t)
logging_read_all_logs(fail2ban_t)
+logging_read_audit_log(fail2ban_t)
logging_send_syslog_msg(fail2ban_t)
miscfiles_read_localization(fail2ban_t)
Index: refpolicy-2.20210126/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20210126/policy/modules/services/jabber.te
@@ -110,8 +110,11 @@ files_read_etc_runtime_files(jabberd_t)
# usr for lua modules
files_read_usr_files(jabberd_t)
+files_search_var_lib(jabberd_t)
+
fs_search_auto_mountpoints(jabberd_t)
+miscfiles_read_generic_tls_privkey(jabberd_t)
miscfiles_read_all_certs(jabberd_t)
sysnet_read_config(jabberd_t)
Index: refpolicy-2.20210126/policy/modules/services/l2tp.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/l2tp.te
+++ refpolicy-2.20210126/policy/modules/services/l2tp.te
@@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
allow l2tpd_t self:tcp_socket { accept listen };
allow l2tpd_t self:unix_dgram_socket sendto;
allow l2tpd_t self:unix_stream_socket { accept listen };
+allow l2tpd_t self:pppox_socket create;
read_files_pattern(l2tpd_t, l2tp_conf_t, l2tp_conf_t)
Index: refpolicy-2.20210126/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210126/policy/modules/services/mon.te
@@ -150,6 +150,10 @@ optional_policy(`
bind_read_zone(mon_net_test_t)
')
+optional_policy(`
+ mysql_stream_connect(mon_net_test_t)
+')
+
########################################
#
# Local policy
@@ -159,7 +163,8 @@ optional_policy(`
# try not to use dontaudit rules for this
#
-allow mon_local_test_t self:capability sys_admin;
+# sys_ptrace is for reading /proc/1/maps etc
+allow mon_local_test_t self:capability { sys_ptrace sys_admin };
allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
allow mon_local_test_t self:process getsched;
Index: refpolicy-2.20210126/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210126/policy/modules/services/mysql.fc
@@ -20,6 +20,7 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/usr/sbin/mysqld(-max)? -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/usr/sbin/mysqlmanager -- gen_context(system_u:object_r:mysqlmanagerd_exec_t,s0)
/usr/sbin/ndbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
+/usr/sbin/mariadbd -- gen_context(system_u:object_r:mysqld_exec_t,s0)
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
Index: refpolicy-2.20210126/policy/modules/services/mysql.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/mysql.te
+++ refpolicy-2.20210126/policy/modules/services/mysql.te
@@ -65,7 +65,7 @@ files_runtime_file(mysqlmanagerd_runtime
# Local policy
#
-allow mysqld_t self:capability { dac_override ipc_lock setgid setuid sys_resource };
+allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
dontaudit mysqld_t self:capability sys_tty_config;
allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
allow mysqld_t self:fifo_file rw_fifo_file_perms;
@@ -75,6 +75,7 @@ allow mysqld_t self:tcp_socket { accept
manage_dirs_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
manage_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
+allow mysqld_t mysqld_db_t:file map;
manage_lnk_files_pattern(mysqld_t, mysqld_db_t, mysqld_db_t)
files_var_lib_filetrans(mysqld_t, mysqld_db_t, { dir file lnk_file })
@@ -91,6 +92,7 @@ logging_log_filetrans(mysqld_t, mysqld_l
manage_dirs_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
manage_files_pattern(mysqld_t, mysqld_tmp_t, mysqld_tmp_t)
+allow mysqld_t mysqld_tmp_t:file map;
files_tmp_filetrans(mysqld_t, mysqld_tmp_t, { file dir })
manage_dirs_pattern(mysqld_t, mysqld_runtime_t, mysqld_runtime_t)
@@ -102,6 +104,7 @@ kernel_read_kernel_sysctls(mysqld_t)
kernel_read_network_state(mysqld_t)
kernel_read_system_state(mysqld_t)
kernel_read_vm_sysctls(mysqld_t)
+kernel_read_vm_overcommit_sysctl(mysqld_t)
corenet_all_recvfrom_netlabel(mysqld_t)
corenet_tcp_sendrecv_generic_if(mysqld_t)
@@ -123,6 +126,7 @@ domain_use_interactive_fds(mysqld_t)
fs_getattr_all_fs(mysqld_t)
fs_search_auto_mountpoints(mysqld_t)
+fs_search_tmpfs(mysqld_t)
fs_rw_hugetlbfs_files(mysqld_t)
files_read_etc_runtime_files(mysqld_t)
@@ -132,6 +136,7 @@ auth_use_nsswitch(mysqld_t)
logging_send_syslog_msg(mysqld_t)
+miscfiles_read_generic_certs(mysqld_t)
miscfiles_read_localization(mysqld_t)
userdom_search_user_home_dirs(mysqld_t)
Index: refpolicy-2.20210126/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20210126/policy/modules/services/openvpn.te
@@ -131,6 +131,8 @@ fs_search_auto_mountpoints(openvpn_t)
auth_use_pam(openvpn_t)
+init_read_state(openvpn_t)
+
miscfiles_read_localization(openvpn_t)
miscfiles_read_all_certs(openvpn_t)
@@ -163,6 +165,10 @@ optional_policy(`
')
optional_policy(`
+ dpkg_script_rw_inherited_pipes(openvpn_t)
+')
+
+optional_policy(`
dbus_system_bus_client(openvpn_t)
dbus_connect_system_bus(openvpn_t)
@@ -174,3 +180,7 @@ optional_policy(`
optional_policy(`
systemd_use_passwd_agent(openvpn_t)
')
+
+optional_policy(`
+ unconfined_use_fds(openvpn_t)
+')
Index: refpolicy-2.20210126/policy/modules/services/postgrey.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/postgrey.te
+++ refpolicy-2.20210126/policy/modules/services/postgrey.te
@@ -47,6 +47,7 @@ manage_fifo_files_pattern(postgrey_t, po
manage_sock_files_pattern(postgrey_t, postgrey_spool_t, postgrey_spool_t)
manage_files_pattern(postgrey_t, postgrey_var_lib_t, postgrey_var_lib_t)
+allow postgrey_t postgrey_var_lib_t:file map;
files_var_lib_filetrans(postgrey_t, postgrey_var_lib_t, file)
manage_dirs_pattern(postgrey_t, postgrey_runtime_t, postgrey_runtime_t)
Index: refpolicy-2.20210126/policy/modules/services/rpc.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/rpc.te
+++ refpolicy-2.20210126/policy/modules/services/rpc.te
@@ -218,6 +218,7 @@ allow nfsd_t { nfsd_rw_t nfsd_ro_t }:dir
kernel_read_network_state(nfsd_t)
kernel_dontaudit_getattr_core_if(nfsd_t)
+kernel_search_debugfs(nfsd_t)
kernel_setsched(nfsd_t)
kernel_request_load_module(nfsd_t)
# kernel_mounton_proc(nfsd_t)
Index: refpolicy-2.20210126/policy/modules/services/samba.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/samba.te
+++ refpolicy-2.20210126/policy/modules/services/samba.te
@@ -201,11 +201,14 @@ files_tmp_file(winbind_tmp_t)
allow samba_net_t self:capability { dac_override dac_read_search sys_chroot sys_nice };
allow samba_net_t self:capability2 block_suspend;
-allow samba_net_t self:process { getsched setsched };
+allow samba_net_t self:process { sigkill getsched setsched };
allow samba_net_t self:unix_stream_socket { accept listen };
+allow samba_net_t self:fifo_file rw_file_perms;
allow samba_net_t samba_etc_t:file read_file_perms;
+allow samba_net_t samba_var_run_t:file { map read_file_perms };
+
manage_files_pattern(samba_net_t, samba_etc_t, samba_secrets_t)
filetrans_pattern(samba_net_t, samba_etc_t, samba_secrets_t, file)
@@ -215,6 +218,7 @@ files_tmp_filetrans(samba_net_t, samba_n
manage_dirs_pattern(samba_net_t, samba_var_t, samba_var_t)
manage_files_pattern(samba_net_t, samba_var_t, samba_var_t)
+allow samba_net_t samba_var_t:file map;
manage_lnk_files_pattern(samba_net_t, samba_var_t, samba_var_t)
files_var_filetrans(samba_net_t, samba_var_t, dir, "samba")
@@ -300,6 +304,7 @@ allow smbd_t samba_share_t:filesystem {
manage_dirs_pattern(smbd_t, samba_var_t, samba_var_t)
manage_files_pattern(smbd_t, samba_var_t, samba_var_t)
+allow smbd_t samba_var_t:file map;
manage_lnk_files_pattern(smbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(smbd_t, samba_var_t, samba_var_t)
files_var_filetrans(smbd_t, samba_var_t, dir, "samba")
@@ -310,6 +315,7 @@ files_tmp_filetrans(smbd_t, smbd_tmp_t,
manage_dirs_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
+allow smbd_t samba_runtime_t:file map;
manage_sock_files_pattern(smbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(smbd_t, samba_runtime_t, { dir file })
@@ -317,6 +323,7 @@ allow smbd_t winbind_runtime_t:sock_file
stream_connect_pattern(smbd_t, winbind_runtime_t, winbind_runtime_t, winbind_t)
stream_connect_pattern(smbd_t, samba_runtime_t, samba_runtime_t, nmbd_t)
+allow smbd_t nmbd_t:unix_dgram_socket sendto;
kernel_getattr_core_if(smbd_t)
kernel_getattr_message_if(smbd_t)
@@ -480,6 +487,10 @@ optional_policy(`
')
optional_policy(`
+ dbus_system_bus_client(smbd_t)
+')
+
+optional_policy(`
kerberos_read_keytab(smbd_t)
kerberos_use(smbd_t)
')
@@ -520,6 +531,7 @@ allow nmbd_t self:unix_stream_socket { a
manage_dirs_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
manage_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
+allow nmbd_t samba_runtime_t:file map;
manage_sock_files_pattern(nmbd_t, samba_runtime_t, samba_runtime_t)
files_runtime_filetrans(nmbd_t, samba_runtime_t, { dir file sock_file })
@@ -532,7 +544,7 @@ create_files_pattern(nmbd_t, samba_log_t
setattr_files_pattern(nmbd_t, samba_log_t, samba_log_t)
manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
-manage_files_pattern(nmbd_t, samba_var_t, samba_var_t)
+allow nmbd_t samba_var_t:file map;
manage_lnk_files_pattern(nmbd_t, samba_var_t, samba_var_t)
manage_sock_files_pattern(nmbd_t, samba_var_t, samba_var_t)
files_var_filetrans(nmbd_t, samba_var_t, dir, "nmbd")
@@ -613,6 +625,8 @@ allow smbcontrol_t self:process { signal
allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
+allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
+init_use_fds(smbcontrol_t)
manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
Index: refpolicy-2.20210126/policy/modules/services/smartmon.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/smartmon.te
+++ refpolicy-2.20210126/policy/modules/services/smartmon.te
@@ -38,7 +38,7 @@ ifdef(`enable_mls',`
# Local policy
#
-allow fsdaemon_t self:capability { dac_override kill setgid setpcap sys_admin sys_rawio };
+allow fsdaemon_t self:capability { dac_override kill setgid setuid setpcap sys_admin sys_rawio };
dontaudit fsdaemon_t self:capability sys_tty_config;
allow fsdaemon_t self:process { getcap setcap signal_perms };
allow fsdaemon_t self:fifo_file rw_fifo_file_perms;
Index: refpolicy-2.20210126/policy/modules/services/squid.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/squid.te
+++ refpolicy-2.20210126/policy/modules/services/squid.te
@@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
allow squid_t self:unix_dgram_socket sendto;
allow squid_t self:unix_stream_socket { accept connectto listen };
allow squid_t self:tcp_socket { accept listen };
+allow squid_t self:netlink_netfilter_socket create_socket_perms;
manage_dirs_pattern(squid_t, squid_cache_t, squid_cache_t)
manage_files_pattern(squid_t, squid_cache_t, squid_cache_t)
@@ -91,6 +92,7 @@ manage_files_pattern(squid_t, squid_tmp_
files_tmp_filetrans(squid_t, squid_tmp_t, { file dir })
manage_files_pattern(squid_t, squid_tmpfs_t, squid_tmpfs_t)
+allow squid_t squid_tmpfs_t:file map;
fs_tmpfs_filetrans(squid_t, squid_tmpfs_t, file)
manage_files_pattern(squid_t, squid_runtime_t, squid_runtime_t)
Index: refpolicy-2.20210126/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/tor.te
+++ refpolicy-2.20210126/policy/modules/services/tor.te
@@ -74,6 +74,7 @@ files_runtime_filetrans(tor_t, tor_runti
kernel_read_kernel_sysctls(tor_t)
kernel_read_net_sysctls(tor_t)
kernel_read_system_state(tor_t)
+kernel_read_vm_overcommit_sysctl(tor_t)
corenet_all_recvfrom_netlabel(tor_t)
corenet_tcp_sendrecv_generic_if(tor_t)
Index: refpolicy-2.20210126/policy/modules/services/watchdog.te
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/watchdog.te
+++ refpolicy-2.20210126/policy/modules/services/watchdog.te
@@ -76,6 +76,8 @@ auth_append_login_records(watchdog_t)
logging_send_syslog_msg(watchdog_t)
+mcs_killall(watchdog_t)
+
miscfiles_read_localization(watchdog_t)
sysnet_dns_name_resolve(watchdog_t)
Index: refpolicy-2.20210126/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210126.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210126/policy/modules/services/xserver.if
@@ -1647,6 +1647,7 @@ interface(`xserver_rw_mesa_shader_cache'
rw_dirs_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
rw_files_pattern($1, mesa_shader_cache_t, mesa_shader_cache_t)
+ allow $1 mesa_shader_cache_t:file map;
xdg_search_cache_dirs($1)
')
next reply other threads:[~2021-01-27 6:15 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 3:15 Russell Coker [this message]
2021-01-28 15:50 ` [PATCH] misc services patches with changes Dominick and Chris wanted Chris PeBenito
2021-01-28 16:56 ` Chris PeBenito
2021-01-28 16:59 ` Russell Coker
2021-01-28 17:04 ` Dominick Grift
2021-01-28 17:34 ` Nicolas Iooss
2021-01-28 17:41 ` Dominick Grift
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YBDa5ga6QMQtfoVH@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.