Re: [PATCH misc 1/3] backup boinc fetchmail, gdomap jabber mon syncthing ssh and login

[Chris PeBenito <pebenito@xxxxxxxx>]

On 1/2/19 8:27 PM, Russell Coker wrote:
> Would you like me to resubmit those patches or would you rather just add them
> with the changes you suggest?

My preference in this case would be resubmit.


> On Thursday, 3 January 2019 10:52:55 AM AEDT Chris PeBenito wrote:
> > On 1/2/19 3:40 AM, Russell Coker wrote:
> > > Lots of little things that are self-explanatory.
> > >
> > > Boinc has some unusual stuff for lsb_release -a and for mmaping
> > > ld.so.cache.
> > >
> > > Remove obsolete policy from syncthing as we have it in
> > > sysnet_dns_name_resolve().
> >
> > [...]
> >
> > > Index: refpolicy-2.20180701/policy/modules/services/boinc.te
> > > ===================================================================
> > > --- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
> > > +++ refpolicy-2.20180701/policy/modules/services/boinc.te
> >
> > [...]
> >
> > > @@ -169,7 +173,7 @@ optional_policy(`
> > >
> > >    #
> > >    
> > >    allow boinc_project_t self:capability { setgid setuid };
> > >
> > > -allow boinc_project_t self:process { execmem execstack noatsecure ptrace
> > > setcap getcap setpgid setsched signal_perms }; +allow boinc_project_t
> > > self:process { execmem execstack noatsecure ptrace setcap getcap setpgid
> > > setsched signal signal_perms };
> > This change shouldn't be necessary since signal is already in signal_perms.
> >
> > [...]
> >
> > > --- refpolicy-2.20180701.orig/policy/modules/system/authlogin.if
> > > +++ refpolicy-2.20180701/policy/modules/system/authlogin.if
> > > @@ -823,6 +823,25 @@ interface(`auth_append_lastlog',`
> > >
> > >    #######################################
> > >    ## <summary>
> > >
> > > +##	relabel the last logins log.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##	<summary>
> > > +##	Domain allowed access.
> > > +##	</summary>
> > > +## </param>
> > > +#
> > > +interface(`auth_relabel_lastlog',`
> > > +	gen_require(`
> > > +		type lastlog_t;
> > > +	')
> > > +
> > > +	logging_search_logs($1)
> > > +	allow $1 lastlog_t:file { relabelfrom relabelto };
> > > +')
> > > +
> > > +#######################################
> > > +## <summary>
> > >
> > >    ##	Read and write to the last logins log.
> > >    ## </summary>
> > >    ## <param name="domain">
> > >
> > > @@ -841,6 +860,25 @@ interface(`auth_rw_lastlog',`
> > >
> > >    ')
> > >    
> > >    ########################################
> > >
> > > +## <summary>
> > > +##     Manage the last logins log.
> > > +## </summary>
> > > +## <param name="domain">
> > > +##     <summary>
> > > +##     Domain allowed access.
> > > +##     </summary>
> > > +## </param>
> > > +#
> > > +interface(`auth_manage_lastlog',`
> > > +	gen_require(`
> > > +		type lastlog_t;
> > > +	')
> > > +
> > > +	allow $1 lastlog_t:file { relabelfrom relabelto manage_file_perms };
> >
> > The relabel perms shouldn't be in here.  I'd say split it into a new
> > interface, but you're adding the other interface earlier in the patch.


--
Chris PeBenito