From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc apps and admin patches
Date: Wed, 20 Jan 2021 14:28:49 +0100 [thread overview]
Message-ID: <ypjl5z3rn3e6.fsf@defensec.nl> (raw)
In-Reply-To: <YAgCC7ngI/WrlxMR@xev> (Russell Coker's message of "Wed, 20 Jan 2021 21:12:27 +1100")
Russell Coker <russell@coker.com.au> writes:
> Patches for apt unattended upgrades and dbus, logrotate certs and samba,
> games_t, mplayer/mencoder, and sysadm_t dbus.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210120/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210120/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
> /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> ifndef(`distro_redhat',`
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
> /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>
> /var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0)
> /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210120/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210120/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(apt_t)
> ')
>
> @@ -169,5 +173,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(apt_t)
> ')
> Index: refpolicy-2.20210120/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210120/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>
> dpkg_read_db(bootloader_t)
> dpkg_rw_pipes(bootloader_t)
> +
> + apt_use_fds(bootloader_t)
> + apt_use_ptys(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20210120/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210120/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
> logging_send_audit_msgs(logrotate_t)
> logging_exec_all_logs(logrotate_t)
>
> +miscfiles_read_generic_certs(logrotate_t)
> miscfiles_read_localization(logrotate_t)
>
> seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samba_domtrans_smbcontrol(logrotate_t)
> samba_exec_log(logrotate_t)
> ')
>
> Index: refpolicy-2.20210120/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210120/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>
> can_exec(games_t, games_exec_t)
>
> +kernel_read_kernel_sysctls(games_t)
> kernel_read_system_state(games_t)
>
> corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>
> corenet_all_recvfrom_netlabel(games_t)
> corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>
> logging_dontaudit_search_logs(games_t)
>
> +miscfiles_read_generic_certs(games_t)
> miscfiles_read_man_pages(games_t)
> miscfiles_read_localization(games_t)
>
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
> ')
>
> optional_policy(`
> + alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
> dbus_all_session_bus_client(games_t)
> dbus_connect_all_session_bus(games_t)
> + dbus_read_lib_files(games_t)
> + dbus_system_bus_client(games_t)
> ')
>
> optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xdg_read_config_files(games_t)
> + xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
> xserver_create_xdm_tmp_sockets(games_t)
> xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
> domtrans_pattern($2, mencoder_exec_t, mencoder_t)
> domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>
> - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> + allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
> ps_process_pattern($2, { mplayer_t mencoder_t })
>
> allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210120/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210120/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
> fs_manage_cifs_symlinks(mencoder_t)
> ')
>
> +tunable_policy(`xserver_allow_dri',`
> + dev_rw_dri(mplayer_t)
> +')
> +
> ########################################
> #
> # Mplayer local policy
> #
>
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
> allow mplayer_t self:fifo_file rw_fifo_file_perms;
> allow mplayer_t self:sem create_sem_perms;
> allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
> kernel_dontaudit_list_unlabeled(mplayer_t)
> kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
> kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
> kernel_read_system_state(mplayer_t)
> kernel_read_kernel_sysctls(mplayer_t)
>
> Index: refpolicy-2.20210120/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210120.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210120/policy/modules/roles/sysadm.te
> @@ -530,6 +530,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + init_dbus_chat(sysadm_t)
Can you explain why you added this?
> +')
> +
> +optional_policy(`
> inn_admin(sysadm_t, sysadm_r)
> ')
>
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-01-20 14:03 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 10:12 [PATCH] misc apps and admin patches Russell Coker
2021-01-20 13:28 ` Dominick Grift [this message]
2021-01-20 13:36 ` Russell Coker
2021-01-20 15:03 ` Dominick Grift
2021-01-20 15:06 ` Dominick Grift
2021-01-20 15:08 ` Dominick Grift
2021-01-20 23:18 ` Russell Coker
-- strict thread matches above, loose matches on Subject: below --
2021-02-02 14:55 Russell Coker
2021-02-02 18:33 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjl5z3rn3e6.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.