From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-15.8 required=3.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,INCLUDES_CR_TRAILER, INCLUDES_PATCH,MAILING_LIST_MULTI,SPF_HELO_NONE,SPF_PASS,URIBL_BLOCKED autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id D5D2EC433DB for ; Fri, 29 Jan 2021 17:18:51 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 942A264E00 for ; Fri, 29 Jan 2021 17:18:51 +0000 (UTC) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231526AbhA2RSU (ORCPT ); Fri, 29 Jan 2021 12:18:20 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:48380 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S232433AbhA2RQK (ORCPT ); Fri, 29 Jan 2021 12:16:10 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 52332C06178A for ; Fri, 29 Jan 2021 09:15:13 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id 18C74ECF5 for ; Sat, 30 Jan 2021 04:15:10 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611940510; bh=c54XRgI3YSoDo9Bvu6FeMy5IstW92Uo/cvGkt/CPla0=; l=8072; h=Date:From:To:Subject:From; b=yycOZ7Zf2CGH81q7z22yRenl+AZMjnAMAhbH5wZU1HbD4INXWVxEiRRdKbzBOjdQs lFn6Qg8u94auN1sjYNnVmaHN7rI4A8zrF/KWd2PAizcIbfPuu+OIj970vOJ3Od4pNf tuqUwEgNOXIFJfK50v94XWrF8GB1pk1zUrg26Zho= Received: by xev.coker.com.au (Postfix, from userid 1001) id A530C13453C0; Sat, 30 Jan 2021 04:15:04 +1100 (AEDT) Date: Sat, 30 Jan 2021 04:15:04 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] type transition rules for Debian installations Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org This patch has named type transition rules for the creation of directories without specifying the type, hopefully these will be removed at some future time when the package maintainer does things differently, but that won't happen soon. Signed-off-by: Russell Coker Index: refpolicy-2.20210129/policy/modules/system/authlogin.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/system/authlogin.if +++ refpolicy-2.20210129/policy/modules/system/authlogin.if @@ -713,13 +713,18 @@ interface(`auth_manage_shadow',` ## Domain allowed access. ## ## +## +## +## The name of the object being created. +## +## # interface(`auth_etc_filetrans_shadow',` gen_require(` type shadow_t; ') - files_etc_filetrans($1, shadow_t, file) + files_etc_filetrans($1, shadow_t, file, $2) ') ####################################### Index: refpolicy-2.20210129/policy/modules/admin/dpkg.te =================================================================== --- refpolicy-2.20210129.orig/policy/modules/admin/dpkg.te +++ refpolicy-2.20210129/policy/modules/admin/dpkg.te @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write") auth_manage_shadow(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) @@ -307,10 +308,20 @@ optional_policy(` ') optional_policy(` + aptcacher_create_cache_dir(dpkg_script_t) + aptcacher_create_conf_dir(dpkg_script_t) + aptcacher_create_log_dir(dpkg_script_t) +') + +optional_policy(` bootloader_run(dpkg_script_t, dpkg_roles) ') optional_policy(` + clamav_create_freshclam_log(dpkg_script_t) +') + +optional_policy(` devicekit_dbus_chat_power(dpkg_script_t) ') @@ -327,6 +338,11 @@ optional_policy(` ') optional_policy(` + mysql_create_db_dir(dpkg_script_t) + mysql_create_log_dir(dpkg_script_t) +') + +optional_policy(` nis_use_ypbind(dpkg_script_t) ') Index: refpolicy-2.20210129/policy/modules/services/mysql.fc =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/mysql.fc +++ refpolicy-2.20210129/policy/modules/services/mysql.fc @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0) /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0) -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0) /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0) /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0) Index: refpolicy-2.20210129/policy/modules/services/mysql.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/mysql.if +++ refpolicy-2.20210129/policy/modules/services/mysql.if @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',` ######################################## ## +## create mysqld db dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_db_dir',` + gen_require(` + type mysqld_db_t; + ') + + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql") +') + +######################################## +## ## Create, read, write, and delete ## mysqld home files. ## @@ -325,9 +343,29 @@ interface(`mysql_write_log',` ') logging_search_logs($1) + allow $1 mysqld_log_t:dir search_dir_perms; allow $1 mysqld_log_t:file write_file_perms; ') +######################################## +## +## create mysqld log dir. +## +## +## +## Domain allowed access. +## +## +# +interface(`mysql_create_log_dir',` + gen_require(` + type mysqld_log_t; + ') + + logging_search_logs($1) + logging_log_filetrans($1, mysqld_log_t, dir, "mysql") +') + ###################################### ## ## Execute mysqld safe in the Index: refpolicy-2.20210129/policy/modules/services/clamav.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/clamav.if +++ refpolicy-2.20210129/policy/modules/services/clamav.if @@ -430,3 +430,21 @@ interface(`clamav_admin',` files_list_tmp($1) admin_pattern($1, { clamd_tmp_t clamscan_tmp_t }) ') + +######################################## +## +## specified domain creates /var/log/clamav/freshclam.log with correct type +## +## +## +## Domain allowed access. +## +## +# +interface(`clamav_create_freshclam_log',` + gen_require(` + type clamd_var_log_t, freshclam_var_log_t; + ') + + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log") +') Index: refpolicy-2.20210129/policy/modules/services/aptcacher.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/aptcacher.if +++ refpolicy-2.20210129/policy/modules/services/aptcacher.if @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',` files_search_runtime($1) stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t) ') + +######################################## +## +## create /var/log/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_log_dir',` + gen_require(` + type aptcacher_log_t; + ') + + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /var/cache/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_cache_dir',` + gen_require(` + type aptcacher_cache_t; + ') + + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng") +') + +######################################## +## +## create /etc/apt-cacher-ng +## +## +## +## Domain allowed access. +## +## +# +interface(`aptcacher_create_conf_dir',` + gen_require(` + type aptcacher_conf_t; + ') + + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng") +') Index: refpolicy-2.20210129/policy/modules/services/ftp.if =================================================================== --- refpolicy-2.20210129.orig/policy/modules/services/ftp.if +++ refpolicy-2.20210129/policy/modules/services/ftp.if @@ -189,3 +189,21 @@ interface(`ftp_admin',` ftp_run_ftpdctl($1, $2) ') + +######################################## +## +## create /run/pure-ftpd +## +## +## +## Domain allowed access. +## +## +# +interface(`ftp_create_pure_ftpd_runtime',` + gen_require(` + type ftpd_runtime_t; + ') + + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd") +') Index: refpolicy-2.20210129/policy/modules/system/init.te =================================================================== --- refpolicy-2.20210129.orig/policy/modules/system/init.te +++ refpolicy-2.20210129/policy/modules/system/init.te @@ -1287,6 +1287,10 @@ optional_policy(` ') optional_policy(` + ftp_create_pure_ftpd_runtime(initrc_t) +') + +optional_policy(` rpc_read_exports(initrc_t) ')