On 1/21/21 2:35 PM, Dominick Grift wrote:
>
>
> On 1/21/21 2:25 PM, Russell Coker wrote:
>> On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
>>>> /usr/sbin/suexec --
>> gen_context(system_u:object_r:httpd_suexec_exec_
>>>> t,s0)
>>>> /usr/sbin/wigwam --
>> gen_context(system_u:object_r:httpd_exec_t,s0)>
>>>> +/usr/sbin/php7..-fpm --
>> gen_context(system_u:object_r:httpd_exec_t,s0
>>>> )
>>>
>>> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
>>
>> OK, I'll change that.
>>
>>>> +interface(`apache_delete_squirrelmail_spool',`
>>>> + gen_require(`
>>>> + type squirrelmail_spool_t;
>>>> + ')
>>>> +
>>>> + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
>>>> + allow $1 squirrelmail_spool_t:file delete_file_perms;
>>>
>>> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
>>
>> OK.
>>
>>>> tunable_policy(`httpd_enable_homedirs',`
>>>>
>>>> - userdom_search_user_home_dirs(httpd_t)
>>>> + userdom_list_user_home_content(httpd_t)
>>>
>>> this is not how it was designed. If you want that functionality then set
>>> httpd_read_user_content boolean to true instead
>>
>> OK, I'll delete that patch and do it a better way next time I see a case for
>> it.
>>
>>>> allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
>>>> allow cupsd_t self:fifo_file rw_fifo_file_perms;
>>>> allow cupsd_t self:unix_stream_socket { accept connectto listen };
>>>> allow cupsd_t self:netlink_selinux_socket create_socket_perms;
>>>>
>>>> +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
>>>>
>>>> getattr read setopt };
>>>
>>> create_socket_perms, use the permission sets and patterns where appropriate
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
>>>> @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
>>>>
>>>> allow l2tpd_t self:tcp_socket { accept listen };
>>>> allow l2tpd_t self:unix_dgram_socket sendto;
>>>> allow l2tpd_t self:unix_stream_socket { accept listen };
>>>>
>>>> +allow l2tpd_t self:pppox_socket create;
>>>
>>> create_socket_perms probably eventually
>>
>> Maybe, but for the moment I think it's best to leave them like that. I had it
>> working fully only needing those accesses.
>>
>>>> @@ -59,7 +59,7 @@ interface(`mysql_signal',`
>>>>
>>>> type mysqld_t;
>>>>
>>>> ')
>>>>
>>>> - allow $1 mysqld_t:process signal;
>>>> + allow $1 mysqld_t:process { signull signal };
>>>
>>> create a new mysql_signull()
>>>
>>> by generalizing interfaces and putting them out of context youre
>>> shutting down doors for fine grained access control.
>>
>> OK, I'll drop that patch and add a mysql_signull() next time I see the need
>> for it (probably a week or two).
>>
>>>> optional_policy(`
>>>>
>>>> + dbus_send_system_bus(smbd_t)
>>>> + dbus_system_bus_client(smbd_t)
>>>
>>> dbus_send_system_bus(smbd_t) is redundant (already implied with
>>> dbus_system_bus_client(smbd_t)
>>
>> ok
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/squid.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/squid.te
>>>> @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
>>>>
>>>> allow squid_t self:unix_dgram_socket sendto;
>>>> allow squid_t self:unix_stream_socket { accept connectto listen };
>>>> allow squid_t self:tcp_socket { accept listen };
>>>>
>>>> +allow squid_t self:netlink_netfilter_socket
>>>> all_netlink_netfilter_socket_perms;
>>>
>>> probably just create_socket_perms?
>>
>> OK.
>>
>>>> Index: refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> ===================================================================
>>>> --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
>>>> +++ refpolicy-2.20210120/policy/modules/services/ssh.te
>>>> @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
>>>>
>>>> init_dbus_chat(sshd_t)
>>>> systemd_dbus_chat_logind(sshd_t)
>>>> init_rw_stream_soconnectivitycheck.cbg-app.huawei.comckets(sshd_t)
>>>>
>>>> + systemd_read_logind_sessions_files(sshd_t)
>>>
>>> This should probably be addressed on the lower authlogin level instead
>>
>> auth_login_pgm_domain()?
>
> I would consider adding it to auth_use_pam(). but its a good question.
>
>>
>> In another patch I have systemd_connect_machined(sshd_t) which I guess should
>> go in the same one too.
>
> Which patch was that? That does not look right if only that the name of
> the interface isnt very descriptive (there is no way unix stream connect
> or unix dgram sendto machined.
>
> So this is either about systemd's nss mymachines (in which case it
> belongs in auth_use_nsswitch() or about reading systemd
> /var/run/machines in which case the interface name is wrong.
I meant /var/run/systemd/machines
>
>>
>>
>> Thanks for all the suggestions. I'll send an updated version shortly.
>>
