On Tuesday, 19 January 2021 2:07:06 AM AEDT Dominick Grift wrote:
> > +allow matrixd_t self:fifo_file rw_file_perms;
> > +allow matrixd_t self:tcp_socket create_stream_socket_perms;
> > +allow matrixd_t self:netlink_route_socket rw_netlink_socket_perms;
>
> r_netlink_route_socket_perms probably
r_netlink_socket_perms works. There isn't a r_netlink_route_socket_perms.
> > +corenet_tcp_connect_http_port(matrixd_t)
> > +corenet_tcp_connect_http_cache_port(matrixd_t)
> > +corenet_udp_bind_generic_port(matrixd_t)
> > +corenet_tcp_bind_http_port(matrixd_t)
> > +corenet_udp_bind_reserved_port(matrixd_t)
> > +
> > +allow matrixd_t self:udp_socket create_socket_perms;
> > +allow matrixd_t self:unix_dgram_socket { create getopt setopt write };
>
> create_socket_perms
Done.
> > +# https://cffi.readthedocs.io/en/latest/using.html#callbacks
> > +allow matrixd_t self:process execmem;
> > +
> > +can_exec(matrixd_t, { matrixd_tmp_t matrixd_var_t })
>
> Are you sure that it requires "execute_no_trans" here and not just "map
> execute"? Can you show the avc denials that prompted this rule to be added?
I've removed that line and haven't been able to recreate whatever made me add
it. I'll submit a new patch without it.
> > +
> > +kernel_read_system_state(matrixd_t)
> > +kernel_search_fs_sysctls(matrixd_t)
> > +kernel_read_vm_overcommit_sysctl(matrixd_t)
> > +kernel_search_vm_sysctl(matrixd_t)
> > +
> > +corecmd_exec_bin(matrixd_t)
> > +corecmd_shell_entry_type(matrixd_t)
>
> Why would the matrixd_t domain be entered via shell_exec_t? Can you show
> the avc denials that prompted this rule to be added?
corecmd_shell_entry_type() wasn't needed.
Thanks for your review.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
