Re: [PATCH] some little stuff

[Chris PeBenito <pebenito@xxxxxxxx>]

On 1/11/19 5:30 AM, Russell Coker wrote:
> Tiny and I think they are all obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20180701/policy/modules/admin/bootloader.te
> @@ -147,7 +147,9 @@ miscfiles_read_localization(bootloader_t
>   
>   mount_rw_runtime_files(bootloader_t)
>   
> +selinux_getattr_fs(bootloader_t)
>   seutil_read_bin_policy(bootloader_t)
> +seutil_read_file_contexts(bootloader_t)
>   seutil_read_loadpolicy(bootloader_t)
>   seutil_dontaudit_search_config(bootloader_t)
>   
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -37,7 +37,8 @@ role system_r types logrotate_mail_t;
>   # Local policy
>   #
>   
> -allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# sys_ptrace is for systemctl
> +allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_ptrace sys_nice sys_resource };

I didn't merge this because it seems peculiar. There is no process 
ptrace permission and also because it doesn't seem like it should be 
allowed to ptrace anyway.

>   # systemctl asks for net_admin
>   dontaudit logrotate_t self:capability net_admin;
>   allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> Index: refpolicy-2.20180701/policy/modules/services/dhcp.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/dhcp.te
> +++ refpolicy-2.20180701/policy/modules/services/dhcp.te
> @@ -105,6 +105,7 @@ auth_use_nsswitch(dhcpd_t)
>   
>   logging_send_syslog_msg(dhcpd_t)
>   
> +miscfiles_read_generic_certs(dhcpd_t)
>   miscfiles_read_localization(dhcpd_t)
>   
>   sysnet_read_dhcp_config(dhcpd_t)
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -333,6 +333,7 @@ optional_policy(`
>   
>   optional_policy(`
>   	xserver_domtrans_xauth(sshd_t)
> +	xserver_link_xdm_keys(sshd_t)
>   ')
>   
>   ########################################
> Index: refpolicy-2.20180701/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20180701/policy/modules/services/xserver.if
> @@ -1634,6 +1634,24 @@ interface(`xserver_rw_xdm_keys',`
>   
>   ########################################
>   ## <summary>
> +##	Manage keys for xdm.
> +## </summary>
> +## <param name="domain">
> +##	<summary>
> +##	Domain allowed access.
> +##	</summary>
> +## </param>
> +#
> +interface(`xserver_link_xdm_keys',`
> +	gen_require(`
> +		type xdm_t;
> +	')
> +
> +	allow $1 xdm_t:key link;
> +')
> +
> +########################################
> +## <summary>
>   ##	Read and write the mesa shader cache.
>   ## </summary>
>   ## <param name="domain">
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -708,6 +708,9 @@ allow xserver_t mesa_shader_cache_t:file
>   xdg_cache_filetrans(xserver_t, mesa_shader_cache_t, dir, "mesa_shader_cache")
>   xdg_generic_user_home_dir_filetrans_cache(xserver_t, dir, ".cache")
>   
> +# for writing to ~/.local/share/sddm/xorg-session.log
> +xdg_manage_data(xauth_t)
>   domtrans_pattern(xserver_t, xauth_exec_t, xauth_t)
>   allow xserver_t xauth_home_t:file read_file_perms;
>   
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -337,6 +337,10 @@ optional_policy(`
>   	networkmanager_dbus_chat(systemd_hostnamed_t)
>   ')
>   
> +optional_policy(`
> +	unconfined_dbus_send(systemd_hostnamed_t)
> +')

This comment:

https://github.com/SELinuxProject/refpolicy/issues/18#issuecomment-452316615

makes me rethink all dbus sends to unconfined domains, especially 
unconfined_t.  This here isn't all confined domains, but I want more 
consideration for the perm.


>   #########################################
>   #
>   # hw local policy
> @@ -431,6 +435,7 @@ dev_rw_input_dev(systemd_logind_t)
>   dev_rw_sysfs(systemd_logind_t)
>   dev_setattr_dri_dev(systemd_logind_t)
>   dev_setattr_generic_usb_dev(systemd_logind_t)
> +dev_setattr_input_dev(systemd_logind_t)
>   dev_setattr_kvm_dev(systemd_logind_t)
>   dev_setattr_sound_dev(systemd_logind_t)
>   dev_setattr_video_dev(systemd_logind_t)
> @@ -680,10 +685,11 @@ miscfiles_read_localization(systemd_noti
>   # Nspawn local policy
>   #
>   
> -allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
> +allow systemd_nspawn_t self:process { signal getcap setcap setfscreate setrlimit sigkill };
>   allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
>   allow systemd_nspawn_t self:capability2 wake_alarm;
>   allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> +allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms;
>   
>   allow systemd_nspawn_t systemd_journal_t:dir search;
>   
> Index: refpolicy-2.20180701/policy/modules/admin/usermanage.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/usermanage.te
> +++ refpolicy-2.20180701/policy/modules/admin/usermanage.te
> @@ -252,6 +252,10 @@ userdom_use_unpriv_users_fds(groupadd_t)
>   userdom_dontaudit_search_user_home_dirs(groupadd_t)
>   
>   optional_policy(`
> +	apt_use_fds(groupadd_t)
> +')
> +
> +optional_policy(`
>   	dbus_system_bus_client(groupadd_t)
>   ')
>   
> @@ -546,6 +550,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	apt_use_fds(groupadd_t)
> +')
> +
> +optional_policy(`
>   	dbus_system_bus_client(useradd_t)
>   ')
>   


--
Chris PeBenito