From: Dominick Grift <dominick.grift@defensec.nl>
To: Russell Coker <russell@coker.com.au>
Cc: selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] misc services patches
Date: Wed, 03 Feb 2021 19:06:41 +0100 [thread overview]
Message-ID: <ypjlo8h1qb4e.fsf@defensec.nl> (raw)
In-Reply-To: <YBohv4PUTV7ZgBqU@xev> (Russell Coker's message of "Wed, 3 Feb 2021 15:08:31 +1100")
Russell Coker <russell@coker.com.au> writes:
> Lots of little patches for services.
>
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210203/policy/modules/services/accountsd.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/accountsd.te
> +++ refpolicy-2.20210203/policy/modules/services/accountsd.te
> @@ -21,8 +21,8 @@ files_type(accountsd_var_lib_t)
> # Local policy
> #
>
> -allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace };
> -allow accountsd_t self:process signal;
> +allow accountsd_t self:capability { chown dac_override setgid setuid sys_ptrace sys_nice };
> +allow accountsd_t self:process { signal getsched setsched };
> allow accountsd_t self:fifo_file rw_fifo_file_perms;
> allow accountsd_t self:passwd { rootok passwd chfn chsh };
>
> Index: refpolicy-2.20210203/policy/modules/services/acpi.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/acpi.te
> +++ refpolicy-2.20210203/policy/modules/services/acpi.te
> @@ -45,6 +45,8 @@ files_type(acpid_var_lib_t)
> #
>
> allow acpi_t self:capability { dac_override sys_admin };
> +# for pidof and pgrep
> +allow acpid_t self:cap_userns sys_ptrace;
>
> kernel_read_system_state(acpi_t)
>
> @@ -105,6 +107,7 @@ dev_rw_acpi_bios(acpid_t)
> dev_rw_sysfs(acpid_t)
> dev_dontaudit_getattr_all_chr_files(acpid_t)
> dev_dontaudit_getattr_all_blk_files(acpid_t)
> +dev_watch_dev_dirs(acpid_t)
>
> files_exec_etc_files(acpid_t)
> files_read_etc_runtime_files(acpid_t)
> @@ -136,6 +139,7 @@ domain_dontaudit_list_all_domains_state(
> auth_use_nsswitch(acpid_t)
>
> init_domtrans_script(acpid_t)
> +init_read_utmp(acpid_t)
> init_telinit(acpid_t)
>
> libs_exec_ld_so(acpid_t)
> @@ -218,6 +222,7 @@ optional_policy(`
>
> optional_policy(`
> init_list_unit_dirs(acpid_t)
> + systemd_dbus_chat_logind(acpid_t)
> systemd_start_power_units(acpid_t)
> systemd_status_power_units(acpid_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/apache.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.fc
> +++ refpolicy-2.20210203/policy/modules/services/apache.fc
> @@ -172,7 +172,7 @@ ifdef(`distro_suse',`
> /var/log/roundcubemail(/.*)? gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/suphp\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
> /var/log/z-push(/.*)? gen_context(system_u:object_r:httpd_sys_rw_content_t,s0)
> -/var/log/php[^/]+-fpm\.log -- gen_context(system_u:object_r:httpd_log_t,s0)
> +/var/log/php[^/]+-fpm\.log.* -- gen_context(system_u:object_r:httpd_log_t,s0)
>
> /run/apache.* gen_context(system_u:object_r:httpd_runtime_t,s0)
> /run/cherokee\.pid -- gen_context(system_u:object_r:httpd_runtime_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/apache.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/apache.te
> +++ refpolicy-2.20210203/policy/modules/services/apache.te
> @@ -505,6 +505,7 @@ files_list_mnt(httpd_t)
> files_search_spool(httpd_t)
> files_read_var_symlinks(httpd_t)
> files_read_var_lib_files(httpd_t)
> +files_map_var_lib_files(httpd_t)
> files_search_home(httpd_t)
> files_getattr_home_dir(httpd_t)
> files_read_etc_runtime_files(httpd_t)
> Index: refpolicy-2.20210203/policy/modules/services/aptcacher.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/aptcacher.te
> +++ refpolicy-2.20210203/policy/modules/services/aptcacher.te
> @@ -64,6 +64,7 @@ manage_files_pattern(aptcacher_t, aptcac
>
> manage_sock_files_pattern(aptcacher_t, aptcacher_runtime_t, aptcacher_runtime_t)
>
> +kernel_read_system_state(aptcacher_t)
> kernel_read_vm_overcommit_sysctl(aptcacher_t)
>
> # Calls system()
> @@ -76,6 +77,7 @@ corenet_tcp_connect_http_port(aptcacher_
> auth_use_nsswitch(aptcacher_t)
>
> files_read_etc_files(aptcacher_t)
> +files_read_usr_files(aptcacher_t)
>
> # Uses sd_notify() to inform systemd it has properly started
> init_dgram_send(aptcacher_t)
> Index: refpolicy-2.20210203/policy/modules/services/bind.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bind.te
> +++ refpolicy-2.20210203/policy/modules/services/bind.te
> @@ -76,7 +76,7 @@ role ndc_roles types ndc_t;
>
> allow named_t self:capability { chown dac_override fowner setgid setuid sys_chroot sys_nice sys_resource };
> dontaudit named_t self:capability sys_tty_config;
> -allow named_t self:process { setsched getcap setcap setrlimit signal_perms };
> +allow named_t self:process { getsched setsched getcap setcap setrlimit signal_perms };
> allow named_t self:fifo_file rw_fifo_file_perms;
> allow named_t self:unix_stream_socket { accept listen };
> allow named_t self:tcp_socket { accept listen };
> @@ -212,9 +212,9 @@ optional_policy(`
> # NDC local policy
> #
>
> -allow ndc_t self:capability { dac_override net_admin };
> +allow ndc_t self:capability { dac_override dac_read_search net_admin };
> allow ndc_t self:capability2 block_suspend;
> -allow ndc_t self:process signal_perms;
> +allow ndc_t self:process { signal_perms getsched setsched };
> allow ndc_t self:fifo_file rw_fifo_file_perms;
> allow ndc_t self:unix_stream_socket { accept listen };
>
> Index: refpolicy-2.20210203/policy/modules/services/bluetooth.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/bluetooth.te
> +++ refpolicy-2.20210203/policy/modules/services/bluetooth.te
> @@ -60,6 +60,7 @@ allow bluetooth_t self:socket create_str
> allow bluetooth_t self:unix_stream_socket { accept connectto listen };
> allow bluetooth_t self:tcp_socket { accept listen };
> allow bluetooth_t self:netlink_kobject_uevent_socket create_socket_perms;
> +allow bluetooth_t self:bluetooth_socket create_stream_socket_perms;
>
> read_files_pattern(bluetooth_t, bluetooth_conf_t, bluetooth_conf_t)
>
> @@ -87,6 +88,7 @@ files_runtime_filetrans(bluetooth_t, blu
>
> can_exec(bluetooth_t, bluetooth_helper_exec_t)
>
> +kernel_read_crypto_sysctls(bluetooth_t)
> kernel_read_kernel_sysctls(bluetooth_t)
> kernel_read_system_state(bluetooth_t)
> kernel_read_network_state(bluetooth_t)
> @@ -123,6 +125,8 @@ miscfiles_read_localization(bluetooth_t)
> miscfiles_read_fonts(bluetooth_t)
> miscfiles_read_hwdata(bluetooth_t)
>
> +udev_search_runtime(bluetooth_t)
> +
> userdom_dontaudit_use_unpriv_user_fds(bluetooth_t)
> userdom_dontaudit_use_user_terminals(bluetooth_t)
> userdom_dontaudit_search_user_home_dirs(bluetooth_t)
> @@ -210,5 +214,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + unconfined_dbus_send(bluetooth_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(bluetooth_helper, bluetooth_helper_t, bluetooth_helper_tmpfs_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/boinc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/boinc.te
> +++ refpolicy-2.20210203/policy/modules/services/boinc.te
> @@ -118,6 +118,7 @@ corecmd_exec_shell(boinc_t)
> dev_read_rand(boinc_t)
> dev_read_urand(boinc_t)
> dev_read_sysfs(boinc_t)
> +dev_rw_dri(boinc_t)
> dev_rw_xserver_misc(boinc_t)
>
> domain_read_all_domains_state(boinc_t)
> Index: refpolicy-2.20210203/policy/modules/services/certbot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/certbot.te
> +++ refpolicy-2.20210203/policy/modules/services/certbot.te
> @@ -85,6 +85,8 @@ domain_use_interactive_fds(certbot_t)
> files_read_etc_files(certbot_t)
> files_read_usr_files(certbot_t)
>
> +# dontaudit for attempts to write python cache files
> +libs_dontaudit_write_lib_dirs(certbot_t)
> libs_exec_ldconfig(certbot_t)
> # for /usr/lib/gcc/x86_64-linux-gnu/8/collect2
> libs_exec_lib_files(certbot_t)
> Index: refpolicy-2.20210203/policy/modules/services/clamav.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/clamav.te
> +++ refpolicy-2.20210203/policy/modules/services/clamav.te
> @@ -176,7 +176,7 @@ optional_policy(`
> # Freshclam local policy
> #
>
> -allow freshclam_t self:capability { dac_override setgid setuid };
> +allow freshclam_t self:capability { chown dac_override setgid setuid };
> allow freshclam_t self:fifo_file rw_fifo_file_perms;
> allow freshclam_t self:unix_stream_socket { accept listen };
> allow freshclam_t self:tcp_socket { accept listen };
> @@ -228,6 +228,7 @@ dev_read_urand(freshclam_t)
> domain_use_interactive_fds(freshclam_t)
>
> files_read_etc_runtime_files(freshclam_t)
> +files_read_usr_files(freshclam_t)
> files_search_var_lib(freshclam_t)
>
> auth_use_nsswitch(freshclam_t)
> Index: refpolicy-2.20210203/policy/modules/services/colord.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/colord.te
> +++ refpolicy-2.20210203/policy/modules/services/colord.te
> @@ -25,7 +25,7 @@ files_type(colord_var_lib_t)
>
> allow colord_t self:capability { dac_override dac_read_search };
> dontaudit colord_t self:capability sys_admin;
> -allow colord_t self:process signal;
> +allow colord_t self:process { signal getsched setsched };
> allow colord_t self:fifo_file rw_fifo_file_perms;
> allow colord_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow colord_t self:tcp_socket { accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20210203/policy/modules/services/cron.te
> @@ -461,6 +461,7 @@ kernel_read_fs_sysctls(system_cronjob_t)
> kernel_read_irq_sysctls(system_cronjob_t)
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> +kernel_read_rpc_sysctls(system_cronjob_t)
> kernel_read_system_state(system_cronjob_t)
> kernel_read_software_raid_state(system_cronjob_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/cups.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/cups.te
> +++ refpolicy-2.20210203/policy/modules/services/cups.te
> @@ -5,6 +5,13 @@ policy_module(cups, 1.25.3)
> # Declarations
> #
>
> +## <desc>
> +## <p>
> +## Allows legacy ld_so for old printer filters
> +## </p>
> +## </desc>
> +gen_tunable(cups_legacy_ldso, false)
> +
> type cupsd_config_t;
> type cupsd_config_exec_t;
> init_daemon_domain(cupsd_config_t, cupsd_config_exec_t)
> @@ -131,6 +138,7 @@ manage_files_pattern(cupsd_t, cupsd_inte
>
> manage_dirs_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> manage_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> +manage_lnk_files_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t)
> filetrans_pattern(cupsd_t, cupsd_etc_t, cupsd_rw_etc_t, file)
> files_var_filetrans(cupsd_t, cupsd_rw_etc_t, { dir file })
>
> @@ -211,11 +219,13 @@ domain_use_interactive_fds(cupsd_t)
>
> files_getattr_boot_dirs(cupsd_t)
> files_list_spool(cupsd_t)
> +files_map_etc_files(cupsd_t)
> files_read_etc_runtime_files(cupsd_t)
> files_read_usr_files(cupsd_t)
> files_exec_usr_files(cupsd_t)
> # for /var/lib/defoma
> files_read_var_lib_files(cupsd_t)
> +files_read_var_lib_symlinks(cupsd_t)
> files_list_world_readable(cupsd_t)
> files_read_world_readable_files(cupsd_t)
> files_read_world_readable_symlinks(cupsd_t)
> @@ -565,6 +575,10 @@ userdom_manage_user_home_content_dirs(cu
> userdom_manage_user_home_content_files(cups_pdf_t)
> userdom_home_filetrans_user_home_dir(cups_pdf_t)
>
> +tunable_policy(`cups_legacy_ldso',`
not sure if this is worth a tunable
> + libs_legacy_use_ld_so(cupsd_t)
> +')
> +
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_dirs(cups_pdf_t)
> fs_manage_nfs_files(cups_pdf_t)
> Index: refpolicy-2.20210203/policy/modules/services/devicekit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/devicekit.te
> +++ refpolicy-2.20210203/policy/modules/services/devicekit.te
> @@ -67,7 +67,7 @@ optional_policy(`
>
> allow devicekit_disk_t self:capability { chown dac_override fowner fsetid net_admin setgid setuid sys_admin sys_nice sys_ptrace sys_rawio };
> allow devicekit_disk_t self:capability2 wake_alarm;
> -allow devicekit_disk_t self:process { getsched signal_perms };
> +allow devicekit_disk_t self:process { getsched setsched signal_perms };
> allow devicekit_disk_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_disk_t self:netlink_kobject_uevent_socket create_socket_perms;
>
> @@ -135,6 +135,8 @@ mls_file_read_all_levels(devicekit_disk_
> mls_file_write_to_clearance(devicekit_disk_t)
>
> mount_rw_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files(devicekit_disk_t)
> +mount_watch_runtime_files_reads(devicekit_disk_t)
>
> storage_raw_read_fixed_disk(devicekit_disk_t)
> storage_raw_write_fixed_disk(devicekit_disk_t)
> @@ -147,6 +149,7 @@ auth_use_nsswitch(devicekit_disk_t)
>
> logging_send_syslog_msg(devicekit_disk_t)
>
> +mount_watch_runtime_dirs(devicekit_disk_t)
> miscfiles_read_localization(devicekit_disk_t)
>
> userdom_read_all_users_state(devicekit_disk_t)
> @@ -210,7 +213,7 @@ optional_policy(`
>
> allow devicekit_power_t self:capability { dac_override net_admin sys_admin sys_nice sys_ptrace sys_tty_config };
> allow devicekit_power_t self:capability2 wake_alarm;
> -allow devicekit_power_t self:process { getsched signal_perms };
> +allow devicekit_power_t self:process { getsched setsched signal_perms };
> allow devicekit_power_t self:fifo_file rw_fifo_file_perms;
> allow devicekit_power_t self:unix_dgram_socket create_socket_perms;
> allow devicekit_power_t self:unix_stream_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/dirmngr.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dirmngr.te
> +++ refpolicy-2.20210203/policy/modules/services/dirmngr.te
> @@ -85,6 +85,7 @@ miscfiles_read_generic_certs(dirmngr_t)
> userdom_search_user_home_dirs(dirmngr_t)
> userdom_search_user_runtime(dirmngr_t)
> userdom_user_runtime_filetrans(dirmngr_t, dirmngr_tmp_t, dir)
> +allow dirmngr_t dirmngr_tmp_t:dir manage_dir_perms;
>
> optional_policy(`
> gpg_agent_tmp_filetrans(dirmngr_t, dirmngr_tmp_t, sock_file)
> @@ -92,3 +93,7 @@ optional_policy(`
> gpg_secret_filetrans(dirmngr_t, dirmngr_home_t, dir)
> gpg_stream_connect_agent(dirmngr_t)
> ')
> +
> +optional_policy(`
> + corenet_tcp_connect_tor_port(dirmngr_t)
> +')
> Index: refpolicy-2.20210203/policy/modules/services/dovecot.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/dovecot.te
> +++ refpolicy-2.20210203/policy/modules/services/dovecot.te
> @@ -258,6 +258,8 @@ allow dovecot_auth_t dovecot_t:unix_stre
>
> kernel_dontaudit_getattr_proc(dovecot_auth_t)
>
> +kernel_getattr_proc(dovecot_auth_t)
> +
> files_search_runtime(dovecot_auth_t)
> files_read_usr_files(dovecot_auth_t)
> files_read_var_lib_files(dovecot_auth_t)
> Index: refpolicy-2.20210203/policy/modules/services/fail2ban.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/fail2ban.te
> +++ refpolicy-2.20210203/policy/modules/services/fail2ban.te
> @@ -63,7 +63,9 @@ manage_files_pattern(fail2ban_t, fail2ba
> files_runtime_filetrans(fail2ban_t, fail2ban_runtime_t, file)
>
> kernel_read_system_state(fail2ban_t)
> +kernel_read_vm_overcommit_sysctl(fail2ban_t)
> kernel_search_fs_sysctls(fail2ban_t)
> +kernel_search_vm_sysctl(fail2ban_t)
>
> corecmd_exec_bin(fail2ban_t)
> corecmd_exec_shell(fail2ban_t)
> @@ -133,7 +135,7 @@ optional_policy(`
> #
>
> allow fail2ban_client_t self:capability dac_read_search;
> -allow fail2ban_client_t self:unix_stream_socket { create connect write read };
> +allow fail2ban_client_t self:unix_stream_socket { create connect
> write read shutdown };
create_socket_perms
>
> domtrans_pattern(fail2ban_client_t, fail2ban_exec_t, fail2ban_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/ftp.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.fc
> +++ refpolicy-2.20210203/policy/modules/services/ftp.fc
> @@ -1,4 +1,5 @@
> /etc/proftpd\.conf -- gen_context(system_u:object_r:ftpd_etc_t,s0)
> +/etc/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_etc_t,s0)
>
> /etc/cron\.monthly/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> @@ -22,8 +23,10 @@
> /usr/sbin/muddleftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/proftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> /usr/sbin/vsftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
> +/usr/sbin/pure-ftpd -- gen_context(system_u:object_r:ftpd_exec_t,s0)
>
> -/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/proftpd.* gen_context(system_u:object_r:ftpd_runtime_t,s0)
> +/run/pure-ftpd(/.*)? gen_context(system_u:object_r:ftpd_runtime_t,s0)
>
> /usr/libexec/webmin/vsftpd/webalizer/xfer_log -- gen_context(system_u:object_r:xferlog_t,s0)
>
> @@ -31,6 +34,7 @@
>
> /var/log/muddleftpd\.log.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/proftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> +/var/log/pure-ftpd(/.*)? gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/vsftpd.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferlog.* -- gen_context(system_u:object_r:xferlog_t,s0)
> /var/log/xferreport.* -- gen_context(system_u:object_r:xferlog_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/ftp.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ftp.te
> +++ refpolicy-2.20210203/policy/modules/services/ftp.te
> @@ -180,6 +180,7 @@ allow ftpd_t self:tcp_socket { accept li
> allow ftpd_t self:shm create_shm_perms;
> allow ftpd_t self:key manage_key_perms;
>
> +allow ftpd_t ftpd_etc_t:dir list_dir_perms;
> allow ftpd_t ftpd_etc_t:file read_file_perms;
>
> allow ftpd_t ftpd_keytab_t:file read_file_perms;
> @@ -196,6 +197,7 @@ fs_tmpfs_filetrans(ftpd_t, ftpd_tmpfs_t,
>
> manage_dirs_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> manage_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> +allow ftpd_t ftpd_runtime_t:file map;
> manage_sock_files_pattern(ftpd_t, ftpd_runtime_t, ftpd_runtime_t)
> files_runtime_filetrans(ftpd_t, ftpd_runtime_t, { file dir })
>
> @@ -405,6 +407,13 @@ optional_policy(`
> seutil_sigchld_newrole(ftpd_t)
> ')
>
> +optional_policy(`
> + systemd_connect_machined(ftpd_t)
this is probably related to dynamic user resolving? we should probably
address this in auth_use_nsswitch()
> + systemd_dbus_chat_logind(ftpd_t)
> + systemd_read_logind_state(ftpd_t)
> + systemd_write_inherited_logind_sessions_pipes(ftpd_t)
This looks PAM related?
> +')
> +
> ########################################
> #
> # Ctl local policy
> Index: refpolicy-2.20210203/policy/modules/services/kerneloops.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/kerneloops.te
> +++ refpolicy-2.20210203/policy/modules/services/kerneloops.te
> @@ -43,6 +43,7 @@ corenet_tcp_connect_http_port(kerneloops
>
> auth_use_nsswitch(kerneloops_t)
>
> +logging_mmap_generic_logs(kerneloops_t)
> logging_send_syslog_msg(kerneloops_t)
> logging_read_generic_logs(kerneloops_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/modemmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/modemmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/modemmanager.te
> @@ -15,7 +15,7 @@ init_daemon_domain(modemmanager_t, modem
> #
>
> allow modemmanager_t self:capability { net_admin sys_admin sys_tty_config };
> -allow modemmanager_t self:process { getsched signal };
> +allow modemmanager_t self:process { getsched setsched signal };
> allow modemmanager_t self:fifo_file rw_fifo_file_perms;
> allow modemmanager_t self:unix_stream_socket create_stream_socket_perms;
> allow modemmanager_t self:netlink_kobject_uevent_socket create_socket_perms;
> Index: refpolicy-2.20210203/policy/modules/services/mon.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mon.te
> +++ refpolicy-2.20210203/policy/modules/services/mon.te
> @@ -164,9 +164,10 @@ optional_policy(`
> #
>
> # sys_ptrace is for reading /proc/1/maps etc
> -allow mon_local_test_t self:capability { sys_ptrace sys_admin };
> +allow mon_local_test_t self:capability { sys_rawio sys_ptrace sys_admin };
> allow mon_local_test_t self:fifo_file rw_fifo_file_perms;
> allow mon_local_test_t self:process getsched;
> +allow mon_local_test_t self:cap_userns sys_ptrace;
>
> can_exec(mon_local_test_t, mon_local_test_exec_t)
>
> @@ -197,8 +198,11 @@ files_list_boot(mon_local_test_t)
> fs_search_auto_mountpoints(mon_local_test_t)
> fs_getattr_nfs(mon_local_test_t)
> fs_getattr_xattr_fs(mon_local_test_t)
> +fs_list_cgroup_dirs(mon_local_test_t)
> fs_list_hugetlbfs(mon_local_test_t)
> fs_list_tmpfs(mon_local_test_t)
> +fs_read_cgroup_files(mon_local_test_t)
> +fs_search_cgroup_dirs(mon_local_test_t)
> fs_search_nfs(mon_local_test_t)
>
> storage_getattr_fixed_disk_dev(mon_local_test_t)
> @@ -211,12 +215,14 @@ application_exec_all(mon_local_test_t)
>
> auth_use_nsswitch(mon_local_test_t)
>
> +fsdaemon_read_lib(mon_local_test_t)
> init_getattr_initctl(mon_local_test_t)
>
> logging_send_syslog_msg(mon_local_test_t)
>
> miscfiles_read_generic_certs(mon_t)
> miscfiles_read_localization(mon_local_test_t)
> +storage_raw_read_fixed_disk(mon_local_test_t)
>
> sysnet_read_config(mon_local_test_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/mta.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mta.if
> +++ refpolicy-2.20210203/policy/modules/services/mta.if
> @@ -253,6 +253,7 @@ interface(`mta_manage_mail_home_rw_conte
> manage_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> allow $1 mail_home_rw_t:file map;
> manage_lnk_files_pattern($1, mail_home_rw_t, mail_home_rw_t)
> + allow $1 mail_home_rw_t:dir watch;
> ')
>
> ########################################
> Index: refpolicy-2.20210203/policy/modules/services/mysql.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/mysql.te
> +++ refpolicy-2.20210203/policy/modules/services/mysql.te
> @@ -67,7 +67,7 @@ files_runtime_file(mysqlmanagerd_runtime
>
> allow mysqld_t self:capability { dac_override dac_read_search ipc_lock setgid setuid sys_resource };
> dontaudit mysqld_t self:capability sys_tty_config;
> -allow mysqld_t self:process { setsched getsched setrlimit signal_perms rlimitinh };
> +allow mysqld_t self:process { getcap setsched getsched setrlimit signal_perms rlimitinh };
> allow mysqld_t self:fifo_file rw_fifo_file_perms;
> allow mysqld_t self:shm create_shm_perms;
> allow mysqld_t self:unix_stream_socket { connectto accept listen };
> Index: refpolicy-2.20210203/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20210203/policy/modules/services/networkmanager.te
> @@ -148,6 +148,7 @@ files_read_usr_files(NetworkManager_t)
> files_read_usr_src_files(NetworkManager_t)
>
> fs_getattr_all_fs(NetworkManager_t)
> +fs_read_nsfs_files(NetworkManager_t)
> fs_search_auto_mountpoints(NetworkManager_t)
> fs_list_inotifyfs(NetworkManager_t)
>
> @@ -163,6 +164,8 @@ init_domtrans_script(NetworkManager_t)
>
> auth_use_nsswitch(NetworkManager_t)
>
> +libs_watch_shared_libs_dir(NetworkManager_t)
> +
> logging_send_audit_msgs(NetworkManager_t)
> logging_send_syslog_msg(NetworkManager_t)
>
> @@ -184,6 +187,7 @@ sysnet_delete_dhcpc_state(NetworkManager
> sysnet_search_dhcp_state(NetworkManager_t)
> sysnet_manage_config(NetworkManager_t)
> sysnet_etc_filetrans_config(NetworkManager_t)
> +sysnet_watch_config_dir(NetworkManager_t)
>
> # certificates in user home directories (cert_home_t in ~/\.pki)
> userdom_read_user_certs(NetworkManager_t)
> Index: refpolicy-2.20210203/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20210203/policy/modules/services/openvpn.te
> @@ -128,6 +128,7 @@ files_read_etc_runtime_files(openvpn_t)
>
> fs_getattr_all_fs(openvpn_t)
> fs_search_auto_mountpoints(openvpn_t)
> +fs_search_tmpfs(openvpn_t)
>
> auth_use_pam(openvpn_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/policykit.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/policykit.te
> +++ refpolicy-2.20210203/policy/modules/services/policykit.te
> @@ -75,6 +75,7 @@ allow policykit_t self:unix_stream_socke
> rw_files_pattern(policykit_t, policykit_reload_t, policykit_reload_t)
>
> manage_files_pattern(policykit_t, policykit_var_lib_t, policykit_var_lib_t)
> +allow policykit_t policykit_var_lib_t:dir watch;
>
> manage_dirs_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> manage_files_pattern(policykit_t, policykit_runtime_t, policykit_runtime_t)
> Index: refpolicy-2.20210203/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20210203/policy/modules/services/postfix.te
> @@ -516,6 +516,7 @@ manage_files_pattern(postfix_map_t, post
> files_tmp_filetrans(postfix_map_t, postfix_map_tmp_t, { file dir })
>
> kernel_read_kernel_sysctls(postfix_map_t)
> +kernel_read_network_state(postfix_map_t)
> kernel_dontaudit_list_proc(postfix_map_t)
> kernel_dontaudit_read_system_state(postfix_map_t)
>
> @@ -538,10 +539,14 @@ files_dontaudit_search_var(postfix_map_t
>
> auth_use_nsswitch(postfix_map_t)
>
> +domain_use_interactive_fds(postfix_map_t)
> +
> logging_send_syslog_msg(postfix_map_t)
>
> miscfiles_read_localization(postfix_map_t)
>
> +userdom_use_user_ptys(postfix_map_t)
> +
> optional_policy(`
> locallogin_dontaudit_use_fds(postfix_map_t)
> ')
> @@ -745,12 +750,17 @@ allow postfix_showq_t postfix_spool_mail
> allow postfix_showq_t postfix_spool_maildrop_t:lnk_file read_lnk_file_perms;
>
> allow postfix_showq_t postfix_spool_t:file read_file_perms;
> +allow postfix_showq_t postfix_postqueue_t:unix_stream_socket { read write };
>
> mcs_file_read_all(postfix_showq_t)
>
> term_use_all_ptys(postfix_showq_t)
> term_use_all_ttys(postfix_showq_t)
>
> +optional_policy(`
> + unconfined_run_to(postfix_showq_t, postfix_showq_exec_t)
> +')
> +
> ########################################
> #
> # Smtp delivery local policy
> Index: refpolicy-2.20210203/policy/modules/services/rpc.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/rpc.te
> +++ refpolicy-2.20210203/policy/modules/services/rpc.te
> @@ -114,6 +114,7 @@ corenet_udp_bind_all_rpc_ports(rpc_domai
>
> fs_rw_rpc_named_pipes(rpc_domain)
> fs_search_auto_mountpoints(rpc_domain)
> +fs_watch_rpc_pipefs_dir(rpc_domain)
>
> files_read_etc_runtime_files(rpc_domain)
> files_read_usr_files(rpc_domain)
> Index: refpolicy-2.20210203/policy/modules/services/samba.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/samba.te
> +++ refpolicy-2.20210203/policy/modules/services/samba.te
> @@ -619,7 +619,7 @@ allow smbcontrol_t self:unix_stream_sock
> allow smbcontrol_t self:process { signal signull };
>
> allow smbcontrol_t { winbind_t nmbd_t smbd_t }:process { signal signull };
> -read_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> +manage_files_pattern(smbcontrol_t, samba_runtime_t, samba_runtime_t)
> allow smbcontrol_t samba_runtime_t:dir rw_dir_perms;
>
> manage_files_pattern(smbcontrol_t, samba_var_t, samba_var_t)
> @@ -638,6 +638,7 @@ files_search_var_lib(smbcontrol_t)
> term_use_console(smbcontrol_t)
>
> init_use_fds(smbcontrol_t)
> +init_rw_inherited_stream_socket(smbcontrol_t)
I mentioned how this is common to children of systemd and systemd daemon
I think this is how journald catches the stdout so that it can log it
there is probably a more efficient way to address this on a lower level.
>
> miscfiles_read_localization(smbcontrol_t)
>
> Index: refpolicy-2.20210203/policy/modules/services/sendmail.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/sendmail.te
> +++ refpolicy-2.20210203/policy/modules/services/sendmail.te
> @@ -173,6 +173,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + userdom_use_user_ttys(sendmail_t)
probably atleast inherited? ie is userdom_use_inherited_user_ttys() an
option here?
> postfix_domtrans_postdrop(sendmail_t)
> postfix_domtrans_master(sendmail_t)
> postfix_domtrans_postqueue(sendmail_t)
> Index: refpolicy-2.20210203/policy/modules/services/smartmon.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/smartmon.if
> +++ refpolicy-2.20210203/policy/modules/services/smartmon.if
> @@ -56,3 +56,24 @@ interface(`smartmon_admin',`
> files_list_var_lib($1)
> admin_pattern($1, fsdaemon_var_lib_t)
> ')
> +
> +########################################
> +## <summary>
> +## Read fsdaemon /var/lib files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <rolecap/>
> +#
> +interface(`fsdaemon_read_lib',`
> + gen_require(`
> + type fsdaemon_var_lib_t;
> + ')
> +
> + allow $1 fsdaemon_var_lib_t:dir search;
> + allow $1 fsdaemon_var_lib_t:file read_file_perms;
you can also use a pattern for this. this is exactly the scenario that
suits the use of a pattern
files_search_var_lib($1)
read_files_pattern($1, fsdaemon_var_lib_t, fsdaemon_var_lib_t)
> +')
> +
> Index: refpolicy-2.20210203/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20210203/policy/modules/services/ssh.te
> @@ -199,6 +199,11 @@ tunable_policy(`user_tcp_server',`
> ')
>
> optional_policy(`
> + cron_read_pipes(ssh_t)
> + cron_rw_tmp_files(ssh_t)
> +')
> +
> +optional_policy(`
> tunable_policy(`ssh_use_gpg_agent',`
> gpg_stream_connect_agent(ssh_t)
> ')
> @@ -269,6 +274,8 @@ ifdef(`distro_debian',`
> ifdef(`init_systemd',`
> auth_use_pam_systemd(sshd_t)
> init_dbus_chat(sshd_t)
> + # dynamic users
> + init_stream_connect(sshd_t)
probably best to address DynamicUsers.io in auth_use_nsswitch()?
> init_rw_stream_sockets(sshd_t)
> systemd_write_inherited_logind_sessions_pipes(sshd_t)
> ')
> Index: refpolicy-2.20210203/policy/modules/services/virt.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.fc
> +++ refpolicy-2.20210203/policy/modules/services/virt.fc
> @@ -9,6 +9,9 @@ HOME_DIR/VirtualMachines/isos(/.*)? gen_
> /etc/libvirt/[^/]* -d gen_context(system_u:object_r:virt_etc_rw_t,s0)
> /etc/libvirt/.*/.* gen_context(system_u:object_r:virt_etc_rw_t,s0)
>
> +/etc/qemu -d gen_context(system_u:object_r:virt_etc_t,s0)
> +/etc/qemu/[^/]* -- gen_context(system_u:object_r:virt_etc_t,s0)
> +
> /etc/rc\.d/init\.d/(libvirt-bin|libvirtd) -- gen_context(system_u:object_r:virtd_initrc_exec_t,s0)
>
> /etc/xen -d gen_context(system_u:object_r:virt_etc_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/virt.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/virt.te
> +++ refpolicy-2.20210203/policy/modules/services/virt.te
> @@ -1272,6 +1272,9 @@ allow virt_bridgehelper_t self:tcp_socke
> allow virt_bridgehelper_t self:tun_socket create_socket_perms;
> allow virt_bridgehelper_t self:unix_dgram_socket create_socket_perms;
>
> +allow virt_bridgehelper_t virt_etc_t:dir list_dir_perms;
> +allow virt_bridgehelper_t virt_etc_t:file read_file_perms;
> +
> manage_files_pattern(virt_bridgehelper_t, svirt_home_t, svirt_home_t)
>
> kernel_read_network_state(virt_bridgehelper_t)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.fc
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.fc
> +++ refpolicy-2.20210203/policy/modules/services/xserver.fc
> @@ -69,6 +69,7 @@ HOME_DIR/\.Xauthority.* -- gen_context(s
> /usr/bin/lxdm(-binary)? -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/[xkw]dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/sddm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> +/usr/bin/sddm-greeter -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/gpe-dm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> /usr/bin/iceauth -- gen_context(system_u:object_r:iceauth_exec_t,s0)
> /usr/bin/lightdm -- gen_context(system_u:object_r:xdm_exec_t,s0)
> Index: refpolicy-2.20210203/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20210203/policy/modules/services/xserver.te
> @@ -282,6 +282,7 @@ term_use_ptmx(xauth_t)
> auth_use_nsswitch(xauth_t)
>
> userdom_use_user_terminals(xauth_t)
> +userdom_user_tmp_filetrans(xauth_t, xauth_home_t, file)
> userdom_read_user_tmp_files(xauth_t)
>
> xserver_rw_xdm_tmp_files(xauth_t)
> Index: refpolicy-2.20210203/policy/modules/system/mount.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/mount.if
> +++ refpolicy-2.20210203/policy/modules/system/mount.if
> @@ -224,6 +224,42 @@ interface(`mount_watch_runtime_dirs',`
>
> ########################################
> ## <summary>
> +## Watch mount runtime files.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch;
> +')
> +
> +########################################
> +## <summary>
> +## Watch mount runtime files reads.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mount_watch_runtime_files_reads',`
> + gen_require(`
> + type mount_runtime_t;
> + ')
> +
> + allow $1 mount_runtime_t:file watch_reads;
> +')
> +
> +########################################
> +## <summary>
> ## Getattr on mount_runtime_t files
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20210203/policy/modules/kernel/files.if
> @@ -5932,6 +5932,24 @@ interface(`files_read_var_lib_files',`
>
> ########################################
> ## <summary>
> +## map generic files in /var/lib.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`files_map_var_lib_files',`
> + gen_require(`
> + type var_lib_t;
> + ')
> +
> + allow $1 var_lib_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Read generic symbolic links in /var/lib
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/system/libraries.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/libraries.if
> +++ refpolicy-2.20210203/policy/modules/system/libraries.if
> @@ -469,3 +469,21 @@ interface(`libs_relabel_shared_libs',`
>
> relabel_files_pattern($1, lib_t, { lib_t textrel_shlib_t })
> ')
> +
> +########################################
> +## <summary>
> +## watch lib dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`libs_watch_shared_libs_dir',`
> + gen_require(`
> + type lib_t;
> + ')
> +
> + allow $1 lib_t:dir watch;
> +')
> Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.if
> +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.if
> @@ -545,6 +545,24 @@ interface(`sysnet_manage_config',`
>
> #######################################
> ## <summary>
> +## Watch a network config dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`sysnet_watch_config_dir',`
> + gen_require(`
> + type net_conf_t;
> + ')
> +
> + allow $1 net_conf_t:dir watch;
> +')
> +
> +#######################################
> +## <summary>
> ## Read the dhcp client pid file. (Deprecated)
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> ===================================================================
> --- refpolicy-2.20210203.orig/policy/modules/kernel/filesystem.if
> +++ refpolicy-2.20210203/policy/modules/kernel/filesystem.if
> @@ -583,6 +583,25 @@ interface(`fs_manage_autofs_symlinks',`
>
> ########################################
> ## <summary>
> +## Get the attributes of binfmt_misc filesystems.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_getattr_binfmt_misc_fs',`
> + gen_require(`
> + type binfmt_misc_fs_t;
> + ')
> +
> + allow $1 binfmt_misc_fs_t:filesystem getattr;
> +
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of directories on
> ## binfmt_misc filesystems.
> ## </summary>
> @@ -4386,6 +4405,24 @@ interface(`fs_getattr_rpc_pipefs',`
> allow $1 rpc_pipefs_t:filesystem getattr;
> ')
>
> +########################################
> +## <summary>
> +## Watch a rpc pipefs dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_watch_rpc_pipefs_dir',`
> + gen_require(`
> + type rpc_pipefs_t;
> + ')
> +
> + allow $1 rpc_pipefs_t:dir watch;
> +')
> +
> #########################################
> ## <summary>
> ## Read and write RPC pipe filesystem named pipes.
> @@ -5773,3 +5810,21 @@ interface(`fs_unconfined',`
>
> typeattribute $1 filesystem_unconfined_type;
> ')
> +
> +########################################
> +## <summary>
> +## Search bpf dirs
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`fs_search_bpf',`
> + gen_require(`
> + type bpf_t;
> + ')
> +
> + allow $1 bpf_t:dir search;
> +')
>
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098
Dominick Grift
next prev parent reply other threads:[~2021-02-03 18:08 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-03 4:08 [PATCH] misc services patches Russell Coker
2021-02-03 18:06 ` Dominick Grift [this message]
-- strict thread matches above, loose matches on Subject: below --
2021-01-20 10:08 Russell Coker
2021-01-20 14:53 ` Dominick Grift
2021-01-21 13:25 ` Russell Coker
2021-01-21 13:35 ` Dominick Grift
2021-01-21 13:40 ` Dominick Grift
2021-01-22 2:24 ` Russell Coker
2021-01-22 7:02 ` Dominick Grift
2019-01-04 7:33 Russell Coker
2019-01-05 18:34 ` Chris PeBenito
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=ypjlo8h1qb4e.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.