Re: [PATCH misc 2/3] selinuxutil sysnetwork consolekit apt dpkg udev iptables logrotate, and gpm

Jason Zaman <jason@xxxxxxxxxxxxx> · Thu, 3 Jan 2019 13:16:14 +0800



On Wed, Jan 02, 2019 at 07:07:19PM -0500, Chris PeBenito wrote:
> On 1/2/19 3:45 AM, Russell Coker wrote:
> > Lots of little stuff.
> > 
> > Also the sysnet_dns_name_resolve() change the previous patch needed.
> > 
> [...]
> 
> > --- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
> > +++ refpolicy-2.20180701/policy/modules/services/consolekit.te
> > @@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
> >   # Local policy
> >   #
> >   
> > -allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> > +allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
> 
> Since you're getting the dac_read_search denial, the dac_override 
> probably isn't necessary anymore.  Can you retest without it?

No, consolekit definitely needs dac_override. It needs to be able to
nuke /run/user/1000/*. it perhaps doesnt need to read only nuke but i'd
say grant the perm instead of dontaudit makes things easier if doing
semodule -DB.
> 
> 
> 
> [...]
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> > +++ refpolicy-2.20180701/policy/modules/system/udev.te
> [...]
> 
> > @@ -328,6 +324,11 @@ optional_policy(`
> >   ')
> >   
> >   optional_policy(`
> > +	iptables_domtrans(udev_t)
> > +	iptables_write_pipe(udev_t)
> 
> I'm not clear why this separate pipe interface is necessary, as that 
> access should be provided by the domtrans interface already.
> 
> 
> > --- refpolicy-2.20180701.orig/policy/modules/system/iptables.if
> > +++ refpolicy-2.20180701/policy/modules/system/iptables.if
> > @@ -25,6 +25,24 @@ interface(`iptables_domtrans',`
> >   
> >   ########################################
> >   ## <summary>
> > +##	Allow iptables to write to a pipe
> > +## </summary>
> > +## <param name="domain">
> > +##	<summary>
> > +##	Domain to be written to
> > +##	</summary>
> > +## </param>
> > +#
> > +interface(`iptables_write_pipe',`
> 
> Should be iptables_write_inherited_pipe().
> 
> > +	gen_require(`
> > +		type iptables_t;
> > +	')
> > +
> > +	allow iptables_t $1:fifo_file write;
> > +')
> > +
> 
> -- 
> Chris PeBenito