On Thursday, 21 January 2021 1:53:44 AM AEDT Dominick Grift wrote:
> > /usr/sbin/suexec --
gen_context(system_u:object_r:httpd_suexec_exec_
> > t,s0)
> > /usr/sbin/wigwam --
gen_context(system_u:object_r:httpd_exec_t,s0)>
> > +/usr/sbin/php7..-fpm --
gen_context(system_u:object_r:httpd_exec_t,s0
> > )
>
> that seems fragile. would probably have used "/usr/sbin/php.*-fpm"
OK, I'll change that.
> > +interface(`apache_delete_squirrelmail_spool',`
> > + gen_require(`
> > + type squirrelmail_spool_t;
> > + ')
> > +
> > + allow $1 squirrelmail_spool_t:dir rw_dir_perms;
> > + allow $1 squirrelmail_spool_t:file delete_file_perms;
>
> delete_files_pattern($1, squirrelmail_spool_t, squirrelmail_spool_t)
OK.
> > tunable_policy(`httpd_enable_homedirs',`
> >
> > - userdom_search_user_home_dirs(httpd_t)
> > + userdom_list_user_home_content(httpd_t)
>
> this is not how it was designed. If you want that functionality then set
> httpd_read_user_content boolean to true instead
OK, I'll delete that patch and do it a better way next time I see a case for
it.
> > allow cupsd_t self:process { getpgid setpgid setsched signal_perms };
> > allow cupsd_t self:fifo_file rw_fifo_file_perms;
> > allow cupsd_t self:unix_stream_socket { accept connectto listen };
> > allow cupsd_t self:netlink_selinux_socket create_socket_perms;
> >
> > +allow cupsd_t self:netlink_kobject_uevent_socket { bind create
> >
> > getattr read setopt };
>
> create_socket_perms, use the permission sets and patterns where appropriate
ok
> > Index: refpolicy-2.20210120/policy/modules/services/l2tp.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/l2tp.te
> > +++ refpolicy-2.20210120/policy/modules/services/l2tp.te
> > @@ -35,6 +35,7 @@ allow l2tpd_t self:socket create_socket_
> >
> > allow l2tpd_t self:tcp_socket { accept listen };
> > allow l2tpd_t self:unix_dgram_socket sendto;
> > allow l2tpd_t self:unix_stream_socket { accept listen };
> >
> > +allow l2tpd_t self:pppox_socket create;
>
> create_socket_perms probably eventually
Maybe, but for the moment I think it's best to leave them like that. I had it
working fully only needing those accesses.
> > @@ -59,7 +59,7 @@ interface(`mysql_signal',`
> >
> > type mysqld_t;
> >
> > ')
> >
> > - allow $1 mysqld_t:process signal;
> > + allow $1 mysqld_t:process { signull signal };
>
> create a new mysql_signull()
>
> by generalizing interfaces and putting them out of context youre
> shutting down doors for fine grained access control.
OK, I'll drop that patch and add a mysql_signull() next time I see the need
for it (probably a week or two).
> > optional_policy(`
> >
> > + dbus_send_system_bus(smbd_t)
> > + dbus_system_bus_client(smbd_t)
>
> dbus_send_system_bus(smbd_t) is redundant (already implied with
> dbus_system_bus_client(smbd_t)
ok
> > Index: refpolicy-2.20210120/policy/modules/services/squid.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/squid.te
> > +++ refpolicy-2.20210120/policy/modules/services/squid.te
> > @@ -71,6 +71,7 @@ allow squid_t self:msg { send receive };
> >
> > allow squid_t self:unix_dgram_socket sendto;
> > allow squid_t self:unix_stream_socket { accept connectto listen };
> > allow squid_t self:tcp_socket { accept listen };
> >
> > +allow squid_t self:netlink_netfilter_socket
> > all_netlink_netfilter_socket_perms;
>
> probably just create_socket_perms?
OK.
> > Index: refpolicy-2.20210120/policy/modules/services/ssh.te
> > ===================================================================
> > --- refpolicy-2.20210120.orig/policy/modules/services/ssh.te
> > +++ refpolicy-2.20210120/policy/modules/services/ssh.te
> > @@ -268,6 +268,7 @@ ifdef(`init_systemd',`
> >
> > init_dbus_chat(sshd_t)
> > systemd_dbus_chat_logind(sshd_t)
> > init_rw_stream_sockets(sshd_t)
> >
> > + systemd_read_logind_sessions_files(sshd_t)
>
> This should probably be addressed on the lower authlogin level instead
auth_login_pgm_domain()?
In another patch I have systemd_connect_machined(sshd_t) which I guess should
go in the same one too.
Thanks for all the suggestions. I'll send an updated version shortly.
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
