From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] new version of filetrans patch
Date: Mon, 1 Feb 2021 15:57:13 +1100 [thread overview]
Message-ID: <YBeKKR5cmQe+MTRA@xev> (raw)
Name changes suggested by Dominick and some more additions.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210130/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210130/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')
- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')
#######################################
Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210130/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
')
optional_policy(`
+ aptcacher_filetrans_cache_dir(dpkg_script_t)
+ aptcacher_filetrans_conf_dir(dpkg_script_t)
+ aptcacher_filetrans_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')
optional_policy(`
+ clamav_filetrans_log(dpkg_script_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')
@@ -319,6 +330,10 @@ optional_policy(`
')
optional_policy(`
+ milter_filetrans_spamass_state(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')
@@ -327,6 +342,11 @@ optional_policy(`
')
optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
Index: refpolicy-2.20210130/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210130/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210130/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210130/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mysqld home files.
## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')
+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
Index: refpolicy-2.20210130/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210130/policy/modules/services/clamav.if
@@ -430,3 +430,39 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
+
+########################################
+## <summary>
+## specified domain creates /run/clamav with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_runtime_dir',`
+ gen_require(`
+ type clamd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
+')
Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210130/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210130/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210130/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_filetrans_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210130/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/init.te
+++ refpolicy-2.20210130/policy/modules/system/init.te
@@ -1094,6 +1094,7 @@ optional_policy(`
')
optional_policy(`
+ clamav_filetrans_runtime_dir(initrc_t)
clamav_read_config(initrc_t)
')
@@ -1287,6 +1288,10 @@ optional_policy(`
')
optional_policy(`
+ ftp_filetrans_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
rpc_read_exports(initrc_t)
')
Index: refpolicy-2.20210130/policy/modules/services/milter.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/milter.if
+++ refpolicy-2.20210130/policy/modules/services/milter.if
@@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state',
########################################
## <summary>
+## create spamass milter state dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_filetrans_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
+')
+
+########################################
+## <summary>
## Get the attributes of the spamassissin milter data dir.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210130/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210130/policy/modules/system/unconfined.te
@@ -67,6 +67,7 @@ ifdef(`init_systemd',`
optional_policy(`
systemd_dbus_chat_resolved(unconfined_t)
+ systemd_filetrans_passwd_runtime_dirs(unconfined_t)
')
')
Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210130/policy/modules/roles/sysadm.te
@@ -99,6 +99,7 @@ ifdef(`init_systemd',`
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)
+ systemd_run_passwd_agent(sysadm_t, sysadm_r)
systemd_watch_passwd_runtime_dirs(sysadm_t)
')
Index: refpolicy-2.20210130/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210130/policy/modules/system/systemd.if
@@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')
+########################################
+## <summary>
+## allow systemd_passwd_agent to be run by admin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that runs it
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## role that it runs in
+## </summary>
+## </param>
+#
+interface(`systemd_run_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+ allow systemd_passwd_agent_t $1:fd use;
+ role $2 types systemd_passwd_agent_t;
+')
+
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon
next reply other threads:[~2021-02-01 6:39 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-01 4:57 Russell Coker [this message]
2021-02-02 13:49 ` [PATCH] new version of filetrans patch Chris PeBenito
2021-02-02 14:42 ` Russell Coker
2021-02-02 18:28 ` Chris PeBenito
2021-02-02 14:51 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YBeKKR5cmQe+MTRA@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.