Re: [PATCH] last misc stuff

[Chris PeBenito <pebenito@xxxxxxxx>]

On 1/4/19 2:35 AM, Russell Coker wrote:
> More tiny patches.  Note that this and the other 2 patches I just sent are not
> dependent on each other, please apply any that you like.
>
> Index: refpolicy-2.20180701/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20180701/policy/modules/admin/apt.fc
> @@ -1,9 +1,12 @@
>   /etc/cron\.daily/apt	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   
> -ifndef(`distro_redhat',`
> +/usr/bin/apt		--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/bin/apt-get	--	gen_context(system_u:object_r:apt_exec_t,s0)
> -/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/bin/aptitude	--	gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +
> +ifndef(`distro_redhat',`
> +/usr/bin/apt-shell	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/sbin/synaptic	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /usr/lib/packagekit/packagekitd	--	gen_context(system_u:object_r:apt_exec_t,s0)
>   /var/cache/PackageKit(/.*)?	gen_context(system_u:object_r:apt_var_cache_t,s0)

I modified some of these changes, as it results in file context 
conflicts with the RPM module.  More accurately, I removed the fc 
entries in RPM that label the apt executables.  I moved the apt-shell 
back out of the ifndef block.

I think the synaptic and packagekit fc entries, which are in both apt 
and rpm modules, may need to be dropped and move to the distro's 
patches.  Either that, or this ifndef needs to turn into ifdef debian 
(or something else).

Otherwise merged.


> Index: refpolicy-2.20180701/policy/modules/admin/backup.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/backup.te
> +++ refpolicy-2.20180701/policy/modules/admin/backup.te
> @@ -65,6 +65,8 @@ auth_read_shadow(backup_t)
>   
>   logging_send_syslog_msg(backup_t)
>   
> +miscfiles_read_localization(backup_t)
> +
>   sysnet_read_config(backup_t)
>   
>   userdom_use_user_terminals(backup_t)
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.te
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.te
> @@ -317,6 +317,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	init_dbus_chat(dpkg_script_t)
> +')
> +
> +optional_policy(`
>   	modutils_run(dpkg_script_t, dpkg_roles)
>   ')
>   
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -92,6 +92,8 @@ fs_search_auto_mountpoints(logrotate_t)
>   fs_getattr_xattr_fs(logrotate_t)
>   fs_list_inotifyfs(logrotate_t)
>   fs_getattr_tmpfs(logrotate_t)
> +# killall reads nsfs files
> +fs_read_nsfs_files(logrotate_t)
>   
>   mls_file_read_all_levels(logrotate_t)
>   mls_file_write_all_levels(logrotate_t)
> Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
> @@ -189,7 +189,7 @@ optional_policy(`
>   #
>   
>   allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
> -dontaudit groupadd_t self:capability { fsetid sys_tty_config };
> +dontaudit groupadd_t self:capability { fsetid net_admin sys_tty_config };
>   allow groupadd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>   allow groupadd_t self:fd use;
>   allow groupadd_t self:fifo_file rw_fifo_file_perms;
> @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
>   userdom_dontaudit_search_user_home_dirs(groupadd_t)
>   
>   optional_policy(`
> +	dbus_system_bus_client(groupadd_t)
> +')
> +
> +optional_policy(`
>   	dpkg_use_fds(groupadd_t)
>   	dpkg_rw_pipes(groupadd_t)
>   ')
> @@ -269,6 +273,10 @@ optional_policy(`
>   	rpm_rw_pipes(groupadd_t)
>   ')
>   
> +optional_policy(`
> +	unconfined_use_fds(groupadd_t)
> +')
> +
>   ########################################
>   #
>   # Passwd local policy
> @@ -446,7 +454,7 @@ optional_policy(`
>   #
>   
>   allow useradd_t self:capability { chown dac_override fowner fsetid kill setuid sys_resource };
> -dontaudit useradd_t self:capability sys_tty_config;
> +dontaudit useradd_t self:capability { net_admin sys_tty_config };
>   allow useradd_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
>   allow useradd_t self:fd use;
>   allow useradd_t self:fifo_file rw_fifo_file_perms;
> @@ -538,6 +546,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dbus_system_bus_client(useradd_t)
> +')
> +
> +optional_policy(`
>   	dpkg_use_fds(useradd_t)
>   	dpkg_rw_pipes(useradd_t)
>   ')
> @@ -560,3 +572,7 @@ optional_policy(`
>   	rpm_use_fds(useradd_t)
>   	rpm_rw_pipes(useradd_t)
>   ')
> +
> +optional_policy(`
> +	unconfined_use_fds(useradd_t)
> +')
> Index: refpolicy-2.20180701/policy/modules/apps/syncthing.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/apps/syncthing.te
> +++ refpolicy-2.20180701/policy/modules/apps/syncthing.te
> @@ -63,7 +63,3 @@ userdom_user_content_access_template(syn
>   
>   userdom_use_user_terminals(syncthing_t)
>   
> -optional_policy(`
> -	# temporary hack for /run/NetworkManager/resolv.conf until we make this part of sysnet_dns_name_resolve()
> -	networkmanager_read_pid_files(syncthing_t)
> -')
> Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
> +++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
> @@ -181,6 +181,7 @@ ifdef(`distro_gentoo',`
>   /usr/lib/ConsoleKit/run-session.d(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/ConsoleKit/scripts(/.*)?	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/courier(/.*)?			gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/crda/setregdomain	--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/cups(/.*)? 			gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/cyrus/.*		--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/cyrus-imapd/.*		--	gen_context(system_u:object_r:bin_t,s0)
> @@ -215,6 +216,7 @@ ifdef(`distro_gentoo',`
>   /usr/lib/rpm/rpmk		-- 	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/rpm/rpmq		-- 	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/rpm/rpmv		-- 	gen_context(system_u:object_r:bin_t,s0)
> +/usr/lib/rsyslog/rsyslog-rotate --	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/security/pam_krb5/pam_krb5_storetmp -- gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/selinux/hll/pp		--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/lib/sftp-server		--	gen_context(system_u:object_r:bin_t,s0)
> @@ -319,6 +321,7 @@ ifdef(`distro_gentoo',`
>   /usr/share/sandbox/sandboxX.sh	--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/share/sectool/.*\.py	--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/share/selinux/devel/policygentool -- gen_context(system_u:object_r:bin_t,s0)
> +/usr/share/smartmontools/.*	--	gen_context(system_u:object_r:bin_t,s0)
>   /usr/share/smolt/client(/.*)?		gen_context(system_u:object_r:bin_t,s0)
>   /usr/share/shorewall/compiler\.pl --	gen_context(system_u:object_r:bin_t,s0)
>   /usr/share/shorewall/configpath	--	gen_context(system_u:object_r:bin_t,s0)
> Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
> +++ refpolicy-2.20180701/policy/modules/system/locallogin.te
> @@ -34,7 +34,7 @@ role system_r types sulogin_t;
>   
>   allow local_login_t self:capability { chown dac_read_search dac_override fowner fsetid kill setgid setuid sys_nice sys_resource sys_tty_config };
>   dontaudit local_login_t self:capability net_admin;
> -allow local_login_t self:process { setexec setrlimit setsched };
> +allow local_login_t self:process { getcap setcap setexec setrlimit setsched };
>   allow local_login_t self:fd use;
>   allow local_login_t self:fifo_file rw_fifo_file_perms;
>   allow local_login_t self:sock_file read_sock_file_perms;
> @@ -127,6 +127,7 @@ init_dontaudit_use_fds(local_login_t)
>   
>   miscfiles_read_localization(local_login_t)
>   
> +userdom_manage_all_users_keys(local_login_t)
>   userdom_spec_domtrans_all_users(local_login_t)
>   userdom_signal_all_users(local_login_t)
>   userdom_search_user_home_content(local_login_t)
> Index: refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/selinuxutil.te
> +++ refpolicy-2.20180701/policy/modules/system/selinuxutil.te
> @@ -606,6 +606,7 @@ files_read_usr_symlinks(setfiles_t)
>   files_dontaudit_read_all_symlinks(setfiles_t)
>   
>   fs_getattr_all_xattr_fs(setfiles_t)
> +fs_getattr_cgroup(setfiles_t)
>   fs_getattr_nfs(setfiles_t)
>   fs_getattr_pstore_dirs(setfiles_t)
>   fs_getattr_pstorefs(setfiles_t)
> Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.te
> +++ refpolicy-2.20180701/policy/modules/system/sysnetwork.te
> @@ -68,6 +68,7 @@ exec_files_pattern(dhcpc_t, dhcp_etc_t,
>   allow dhcpc_t dhcp_state_t:file read_file_perms;
>   manage_files_pattern(dhcpc_t, dhcpc_state_t, dhcpc_state_t)
>   filetrans_pattern(dhcpc_t, dhcp_state_t, dhcpc_state_t, file)
> +allow dhcpc_t dhcpc_state_t:file map;
>   
>   # create pid file
>   manage_files_pattern(dhcpc_t, dhcpc_var_run_t, dhcpc_var_run_t)
> @@ -339,6 +340,8 @@ init_use_script_ptys(ifconfig_t)
>   
>   logging_send_syslog_msg(ifconfig_t)
>   
> +# dhclient reads /etc/ssl
> +miscfiles_read_generic_certs(dhcpc_t)
>   miscfiles_read_localization(ifconfig_t)
>   
>   seutil_use_runinit_fds(ifconfig_t)
> Index: refpolicy-2.20180701/policy/modules/system/udev.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/udev.te
> +++ refpolicy-2.20180701/policy/modules/system/udev.te
> @@ -306,10 +306,6 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> -	lvm_domtrans(udev_t)
> -')
> -
> -optional_policy(`
>   	fstools_domtrans(udev_t)
>   ')
>   
> @@ -328,6 +324,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	iptables_domtrans(udev_t)
> +')
> +
> +optional_policy(`
>   	lvm_domtrans(udev_t)
>   ')
>   


--
Chris PeBenito