Russell Coker <russell@xxxxxxxxxxxx> writes:
> Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
> be necessary.
You misunderstood. This is ok to allow, but without the
nnp_nosuid_transition policy capability set these processes setting nnp
would potentially cause issues with SELinux.
>
> Lots of little stuff for system_cronjob_t.
>
> Other minor trivial changes that should be obvious.
>
> Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
> +++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
> @@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
>
> allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## Transition to dpkg_t when NNP has been set
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_nnp_transition',`
> + gen_require(`
> + type dpkg_t;
> + ')
> +
> + allow $1 dpkg_t:process2 nnp_transition;
> +')
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -456,8 +456,8 @@ optional_policy(`
> # System local policy
> #
>
> -allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
> -allow system_cronjob_t self:process { signal_perms getsched setsched };
> +allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
> +allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
> allow system_cronjob_t self:fd use;
> allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
> allow system_cronjob_t self:passwd rootok;
> @@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
> kernel_getattr_message_if(system_cronjob_t)
>
> kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_irq_sysctls(system_cronjob_t)
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> kernel_read_system_state(system_cronjob_t)
> @@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
> domain_dontaudit_read_all_domains_state(system_cronjob_t)
>
> files_exec_etc_files(system_cronjob_t)
> +files_exec_usr_files(system_cronjob_t)
> files_read_etc_runtime_files(system_cronjob_t)
> files_list_all(system_cronjob_t)
> files_getattr_all_dirs(system_cronjob_t)
> @@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
> libs_exec_lib_files(system_cronjob_t)
> libs_exec_ld_so(system_cronjob_t)
>
> -logging_read_generic_logs(system_cronjob_t)
> +logging_manage_generic_logs(system_cronjob_t)
> logging_send_audit_msgs(system_cronjob_t)
> logging_send_syslog_msg(system_cronjob_t)
>
> @@ -675,6 +677,9 @@ optional_policy(`
>
> optional_policy(`
> userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
> +
> + # for gpg-connect-agent to access /run/user/0
> + userdom_manage_user_runtime_dirs(system_cronjob_t)
> ')
>
> ########################################
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
> manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
> files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
>
> -can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
> +can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
>
> kernel_read_crypto_sysctls(NetworkManager_t)
> kernel_read_system_state(NetworkManager_t)
> @@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
> dev_getattr_all_chr_files(NetworkManager_t)
> dev_rw_wireless(NetworkManager_t)
>
> +# for access(2)
> +dev_write_sysfs_dirs(NetworkManager_t)
> +
> domain_use_interactive_fds(NetworkManager_t)
> domain_read_all_domains_state(NetworkManager_t)
>
> Index: refpolicy-2.20180701/policy/modules/services/xserver.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
> +++ refpolicy-2.20180701/policy/modules/services/xserver.te
> @@ -147,6 +147,7 @@ type xauth_t;
> type xauth_exec_t;
> typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
> typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
> +userdom_manage_user_tmp_dirs(xauth_t)
> userdom_user_application_domain(xauth_t, xauth_exec_t)
>
> type xauth_home_t;
> @@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
> userdom_read_user_tmp_files(xauth_t)
>
> xserver_rw_xdm_tmp_files(xauth_t)
> +xserver_stream_connect(xauth_t)
>
> tunable_policy(`use_nfs_home_dirs',`
> fs_manage_nfs_files(xauth_t)
> Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20180701/policy/modules/system/unconfined.te
> @@ -89,6 +89,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dpkg_nnp_transition(unconfined_t)
> dpkg_run(unconfined_t, unconfined_r)
> ')
>
> Index: refpolicy-2.20180701/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180701/policy/modules/system/modutils.te
> @@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
>
> fs_getattr_xattr_fs(kmod_t)
> fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
> +fs_search_tracefs(kmod_t)
>
> init_rw_initctl(kmod_t)
> init_use_fds(kmod_t)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
> fs_manage_tmpfs_chr_files(systemd_nspawn_t)
> fs_mount_tmpfs(systemd_nspawn_t)
> fs_remount_tmpfs(systemd_nspawn_t)
> -fs_search_cgroup_dirs(systemd_nspawn_t)
> +fs_remount_xattr_fs(systemd_nspawn_t)
> +fs_read_cgroup_files(systemd_nspawn_t)
>
> term_getattr_generic_ptys(systemd_nspawn_t)
> term_getattr_pty_fs(systemd_nspawn_t)
--
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift
