Re: making a file context change work for initrc_t and unconfined_t

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Sat, 2012-02-04 at 11:01 -0500, Maria Iano wrote:

> 
> Some of the additional file contexts were missing. I've added them to  
> the patch file. I've also attached my te and fc files. Please note, my  
> new diff compared directory trees that were different from yours. Here  
> a line from the updated patch that shows what I'm talking about:
> 
> diff --git a/current/policy/modules/services/likewise.fc b/new/policy/ 
> modules/services/likewise.fc
> 
> Thanks!
> Maria

Yes i see some minor differences, for example you have a likewise init
script and have the ps store lock file in /var/lib rather than /etc.

There was another change that i suggested with regard to escaped
characters but after thinking about that i do not think that was needed
after all (i was confused about the path differences)

Attached is a modified patch:

I would like a Fedora maintainer to have a look (ACK) at it before i
consider to commit this to the git repository. I am especially unsure
about entries like these i added:

/var/lib/likewise(-open)?(/.*)?
gen_context(system_u:object_r:likewise_var_lib_t,s0)

Not sure if those regular expressions will work.

Also i think it would be even better if someone could test this once
more from scratch (e.g. with a totally clean /var/lib) to see whether
all objects are created with the proper types.

And then also to see whether all file context specifications are proper
now.

Thanks for your help

>From 0fa4f19a431df14fbd2aeb3d12812a37536e65b4 Sat, 4 Feb 2012 19:04:08 +0100
From: Dominick Grift <dominick.grift@xxxxxxxxx>
Date: Sat, 4 Feb 2012 19:03:08 +0100
Subject: [PATCH] Likewise sometimes installs in "likewise" and sometimes "likewise-open" Various fixes: https://lists.fedoraproject.org/pipermail/selinux/2012-January/014333.html

Signed-off-by: Dominick Grift <dominick.grift@xxxxxxxxx>

diff --git a/policy/modules/services/likewise.fc b/policy/modules/services/likewise.fc
index 057a4e4..438843f 100644
--- a/policy/modules/services/likewise.fc
+++ b/policy/modules/services/likewise.fc
@@ -10,6 +10,16 @@
 /etc/rc\.d/init\.d/lwsmd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/netlogond		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
 /etc/rc\.d/init\.d/srvsvcd		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+/etc/rc\.d/init\.d/likewise		--	gen_context(system_u:object_r:likewise_initrc_exec_t,s0)
+
+/opt/likewise(-open)?/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
+/opt/likewise(-open)?/sbin/eventlogd			--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lsassd			--	gen_context(system_u:object_r:lsassd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwiod				--	gen_context(system_u:object_r:lwiod_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwregd			--	gen_context(system_u:object_r:lwregd_exec_t,s0)
+/opt/likewise(-open)?/sbin/lwsmd				--	gen_context(system_u:object_r:lwsmd_exec_t,s0)
+/opt/likewise(-open)?/sbin/netlogond			--	gen_context(system_u:object_r:netlogond_exec_t,s0)
+/opt/likewise(-open)?/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
 
 /usr/sbin/dcerpcd			--	gen_context(system_u:object_r:dcerpcd_exec_t,s0)
 /usr/sbin/eventlogd			--	gen_context(system_u:object_r:eventlogd_exec_t,s0)
@@ -20,30 +30,35 @@
 /usr/sbin/netlogond			--	gen_context(system_u:object_r:netlogond_exec_t,s0)
 /usr/sbin/srvsvcd			--	gen_context(system_u:object_r:srvsvcd_exec_t,s0)
 
-/var/lib/likewise-open(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/\.lsassd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwiod		-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
-/var/lib/likewise-open/\.regsd		-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
-/var/lib/likewise-open/\.lwsm		-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
-/var/lib/likewise-open/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
-/var/lib/likewise-open/\.ntlmd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
-/var/lib/likewise-open/krb5-affinity.conf --	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
-/var/lib/likewise-open/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
-/var/lib/likewise-open/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
-/var/lib/likewise-open/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/db		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
-/var/lib/likewise-open/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adcache\.db --	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/lsass-adstate\.filedb -- gen_context(system_u:object_r:lsassd_var_lib_t,s0)
-/var/lib/likewise-open/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
-/var/lib/likewise-open/rpc		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
-/var/lib/likewise-open/rpc/socket 	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
-/var/lib/likewise-open/run		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
-/var/lib/likewise-open/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
+/var/lib/likewise(-open)?(/.*)?			gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/\.eventlog	-s	gen_context(system_u:object_r:eventlogd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lsassd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwiod		-s	gen_context(system_u:object_r:lwiod_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.regsd		-s	gen_context(system_u:object_r:lwregd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwsm		-s	gen_context(system_u:object_r:lwsmd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.lwsmd-lock	--	gen_context(system_u:object_r:lwsmd_var_lib_t,s0)
+/var/lib/likewise(-open)?/\.netlogond	-s	gen_context(system_u:object_r:netlogond_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.ntlmd		-s	gen_context(system_u:object_r:lsassd_var_socket_t,s0)
+/var/lib/likewise(-open)?/\.pstore\.lock	--	gen_context(system_u:object_r:likewise_pstore_lock_t,s0)
+/var/lib/likewise(-open)?/krb5-affinity.conf --	gen_context(system_u:object_r:netlogond_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5cc\_lsass\..*		--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/krb5ccr_lsass	--	gen_context(system_u:object_r:lsassd_var_lib_t, s0)
+/var/lib/likewise(-open)?/LWNetsd\.err	--	gen_context(system_u:object_r:netlogond_var_lib_t,s0)
+/var/lib/likewise(-open)?/lsasd\.err	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/regsd\.err	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lwi_events.db	--	gen_context(system_u:object_r:eventlogd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/sam\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache\.filedb\..*	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adcache\.db	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/lsass-adstate\.filedb	--	gen_context(system_u:object_r:lsassd_var_lib_t,s0)
+/var/lib/likewise(-open)?/db/registry\.db	--	gen_context(system_u:object_r:lwregd_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/rpc/epmapper	-s	gen_context(system_u:object_r:dcerpcd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/lsass	-s	gen_context(system_u:object_r:lsassd_var_socket_t, s0)
+/var/lib/likewise(-open)?/rpc/socket 	-s	gen_context(system_u:object_r:eventlogd_var_socket_t, s0)
+/var/lib/likewise(-open)?/run		-d	gen_context(system_u:object_r:likewise_var_lib_t,s0)
+/var/lib/likewise(-open)?/run/rpcdep.dat	--	gen_context(system_u:object_r:dcerpcd_var_lib_t, s0)
 
 /var/run/eventlogd.pid			--	gen_context(system_u:object_r:eventlogd_var_run_t,s0)
 /var/run/lsassd.pid			--	gen_context(system_u:object_r:lsassd_var_run_t,s0)
diff --git a/policy/modules/services/likewise.if b/policy/modules/services/likewise.if
index 81d98b3..a340496 100644
--- a/policy/modules/services/likewise.if
+++ b/policy/modules/services/likewise.if
@@ -74,6 +74,8 @@
 	manage_sock_files_pattern($1_t, likewise_var_lib_t, $1_var_socket_t)
 	filetrans_pattern($1_t, likewise_var_lib_t, $1_var_socket_t, sock_file)
 
+	kernel_read_system_state($1_t)
+
 	dev_read_rand($1_t)
 	dev_read_urand($1_t)
 
diff --git a/policy/modules/services/likewise.te b/policy/modules/services/likewise.te
index 18dc6e5..4a373fa 100644
--- a/policy/modules/services/likewise.te
+++ b/policy/modules/services/likewise.te
@@ -84,6 +84,10 @@
 corenet_udp_sendrecv_generic_node(eventlogd_t)
 corenet_udp_sendrecv_generic_port(eventlogd_t)
 
+corenet_tcp_connect_epmap_port(eventlogd_t)
+corenet_tcp_sendrecv_epmap_port(eventlogd_t)
+corenet_sendrecv_epmap_client_packets(eventlogd_t)
+
 #################################
 #
 # Likewise Authentication service local policy
@@ -124,6 +128,7 @@
 corenet_tcp_connect_epmap_port(lsassd_t)
 corenet_tcp_sendrecv_epmap_port(lsassd_t)
 
+domain_dontaudit_search_all_domains_state(lsassd_t)
 domain_obj_id_change_exemption(lsassd_t)
 
 files_manage_etc_files(lsassd_t)
@@ -155,14 +160,15 @@
 # Likewise I/O service local policy
 #
 
-allow lwiod_t self:capability { fowner chown fsetid dac_override };
+allow lwiod_t self:process setrlimit;
+allow lwiod_t self:capability { fowner chown fsetid dac_override sys_resource };
 allow lwiod_t self:netlink_route_socket rw_netlink_socket_perms;
 
-allow lwiod_t likewise_krb5_ad_t:file read_file_perms;
-allow lwiod_t netlogond_var_lib_t:file read_file_perms;
+allow lwiod_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
 
 stream_connect_pattern(lwiod_t, likewise_var_lib_t, lwregd_var_socket_t, lwregd_t)
 stream_connect_pattern(lwiod_t, likewise_var_lib_t, lsassd_var_socket_t, lsassd_t)
+stream_connect_pattern(lwiod_t, likewise_var_lib_t, netlogond_var_socket_t, netlogond_t)
 
 corenet_all_recvfrom_netlabel(lwiod_t)
 corenet_all_recvfrom_unlabeled(lwiod_t)
@@ -187,8 +193,12 @@
 # Likewise Service Manager service local policy
 #
 
+allow lwsmd_t self:process setpgid;
+
 allow lwsmd_t likewise_domains:process signal;
 
+allow lwsmd_t { likewise_krb5_ad_t netlogond_var_lib_t }:file read_file_perms;
+
 domtrans_pattern(lwsmd_t, dcerpcd_exec_t, dcerpcd_t)
 domtrans_pattern(lwsmd_t, eventlogd_exec_t, eventlogd_t)
 domtrans_pattern(lwsmd_t, lsassd_exec_t, lsassd_t)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux

[Index of Archives]     [Fedora Users]     [Fedora Desktop]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux