[PATCH] type transition rules for Debian installations

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



This patch has named type transition rules for the creation of directories
without specifying the type, hopefully these will be removed at some future
time when the package maintainer does things differently, but that won't
happen soon.

Signed-off-by: Russell Coker <russell@xxxxxxxxxxxx>

Index: refpolicy-2.20210129/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210129/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="name" optional="true">
+##      <summary>
+##      The name of the object being created.
+##      </summary>
+## </param>
 #
 interface(`auth_etc_filetrans_shadow',`
 	gen_require(`
 		type shadow_t;
 	')
 
-	files_etc_filetrans($1, shadow_t, file)
+	files_etc_filetrans($1, shadow_t, file, $2)
 ')
 
 #######################################
Index: refpolicy-2.20210129/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210129/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
 
 files_manage_non_auth_files(dpkg_script_t)
 
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
 auth_manage_shadow(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
 ')
 
 optional_policy(`
+	aptcacher_create_cache_dir(dpkg_script_t)
+	aptcacher_create_conf_dir(dpkg_script_t)
+	aptcacher_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
 	bootloader_run(dpkg_script_t, dpkg_roles)
 ')
 
 optional_policy(`
+	clamav_create_freshclam_log(dpkg_script_t)
+')
+
+optional_policy(`
 	devicekit_dbus_chat_power(dpkg_script_t)
 ')
 
@@ -327,6 +338,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_create_db_dir(dpkg_script_t)
+	mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(dpkg_script_t)
 ')
 
Index: refpolicy-2.20210129/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210129/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf	--	gen_context(system
 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
 /var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)
 
-/var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)
 
 /run/mysqld.*	gen_context(system_u:object_r:mysqld_runtime_t,s0)
 /run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210129/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210129/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`
 
 ########################################
 ## <summary>
+##	create mysqld db dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mysqld home files.
 ## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 mysqld_log_t:dir search_dir_perms;
 	allow $1 mysqld_log_t:file write_file_perms;
 ')
 
+########################################
+## <summary>
+##	create mysqld log dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+	gen_require(`
+		type mysqld_log_t;
+	')
+
+	logging_search_logs($1)
+	logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
 ######################################
 ## <summary>
 ##	Execute mysqld safe in the
Index: refpolicy-2.20210129/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210129/policy/modules/services/clamav.if
@@ -430,3 +430,21 @@ interface(`clamav_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
 ')
+
+########################################
+## <summary>
+##	specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_create_freshclam_log',`
+	gen_require(`
+		type clamd_var_log_t, freshclam_var_log_t;
+	')
+
+	filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
Index: refpolicy-2.20210129/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210129/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
 	files_search_runtime($1)
 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
 ')
+
+########################################
+## <summary>
+##	create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_create_log_dir',`
+	gen_require(`
+		type aptcacher_log_t;
+	')
+
+	logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+##	create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_create_cache_dir',`
+	gen_require(`
+		type aptcacher_cache_t;
+	')
+
+	files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+##	create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_create_conf_dir',`
+	gen_require(`
+		type aptcacher_conf_t;
+	')
+
+	files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210129/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210129/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
 
 	ftp_run_ftpdctl($1, $2)
 ')
+
+########################################
+## <summary>
+##	create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_create_pure_ftpd_runtime',`
+	gen_require(`
+		type ftpd_runtime_t;
+	')
+
+	files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210129/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/init.te
+++ refpolicy-2.20210129/policy/modules/system/init.te
@@ -1287,6 +1287,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ftp_create_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
 	rpc_read_exports(initrc_t)
 ')
 



[Index of Archives]     [AMD Graphics]     [Linux USB Devel]     [Linux Audio Users]     [Yosemite News]     [Linux Kernel]     [Linux SCSI]

  Powered by Linux