From: Chris PeBenito <pebenito@ieee.org>
To: Russell Coker <russell@coker.com.au>, selinux-refpolicy@vger.kernel.org
Subject: Re: [PATCH] small misc patches
Date: Tue, 2 Feb 2021 13:33:54 -0500 [thread overview]
Message-ID: <b1dc3c80-35f4-a3fc-87d3-66b677b8df5e@ieee.org> (raw)
In-Reply-To: <YBlp5CTSH2Yid0f4@xev>
On 2/2/21 10:04 AM, Russell Coker wrote:
> Little patches for apt, bootloader, logrotate, games, and mplayer.
>
> Signed-off-by: Russell Coker <russell@coker.com.au>
>
> Index: refpolicy-2.20210126/policy/modules/admin/apt.fc
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.fc
> +++ refpolicy-2.20210126/policy/modules/admin/apt.fc
> @@ -5,6 +5,8 @@
> /usr/bin/apt-shell -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/bin/aptitude -- gen_context(system_u:object_r:apt_exec_t,s0)
> /usr/sbin/update-apt-xapian-index -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/share/unattended-upgrades/unattended-upgrade-shutdown -- gen_context(system_u:object_r:apt_exec_t,s0)
> +/usr/bin/unattended-upgrade -- gen_context(system_u:object_r:apt_exec_t,s0)
>
> ifndef(`distro_redhat',`
> /usr/sbin/synaptic -- gen_context(system_u:object_r:apt_exec_t,s0)
> @@ -23,5 +25,5 @@ ifndef(`distro_redhat',`
> /var/lock/aptitude gen_context(system_u:object_r:apt_lock_t,s0)
>
> /var/log/aptitude.* gen_context(system_u:object_r:apt_var_log_t,s0)
> -
> +/var/log/unattended-upgrades(/.*) gen_context(system_u:object_r:apt_var_log_t,s0)
> /var/log/apt(/.*)? gen_context(system_u:object_r:apt_var_log_t,s0)
> Index: refpolicy-2.20210126/policy/modules/admin/apt.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/apt.te
> +++ refpolicy-2.20210126/policy/modules/admin/apt.te
> @@ -155,6 +155,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + networkmanager_dbus_chat(apt_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(apt_t)
> ')
>
> @@ -169,5 +173,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_dbus_chat_logind(apt_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(apt_t)
> ')
> Index: refpolicy-2.20210126/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20210126/policy/modules/admin/bootloader.te
> @@ -186,6 +186,9 @@ ifdef(`distro_debian',`
>
> dpkg_read_db(bootloader_t)
> dpkg_rw_pipes(bootloader_t)
> +
> + apt_use_fds(bootloader_t)
> + apt_use_ptys(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20210126/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20210126/policy/modules/admin/logrotate.te
> @@ -121,6 +121,7 @@ logging_send_syslog_msg(logrotate_t)
> logging_send_audit_msgs(logrotate_t)
> logging_exec_all_logs(logrotate_t)
>
> +miscfiles_read_generic_certs(logrotate_t)
> miscfiles_read_localization(logrotate_t)
>
> seutil_dontaudit_read_config(logrotate_t)
> @@ -242,6 +243,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + samba_domtrans_smbcontrol(logrotate_t)
> samba_exec_log(logrotate_t)
> ')
>
> Index: refpolicy-2.20210126/policy/modules/apps/games.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/games.te
> +++ refpolicy-2.20210126/policy/modules/apps/games.te
> @@ -111,9 +111,11 @@ fs_tmpfs_filetrans(games_t, games_tmpfs_
>
> can_exec(games_t, games_exec_t)
>
> +kernel_read_kernel_sysctls(games_t)
> kernel_read_system_state(games_t)
>
> corecmd_exec_bin(games_t)
> +corecmd_exec_shell(games_t)
>
> corenet_all_recvfrom_netlabel(games_t)
> corenet_tcp_sendrecv_generic_if(games_t)
> @@ -146,6 +148,7 @@ init_dontaudit_rw_utmp(games_t)
>
> logging_dontaudit_search_logs(games_t)
>
> +miscfiles_read_generic_certs(games_t)
> miscfiles_read_man_pages(games_t)
> miscfiles_read_localization(games_t)
>
> @@ -162,8 +165,14 @@ tunable_policy(`allow_execmem',`
> ')
>
> optional_policy(`
> + alsa_read_config(games_t)
> +')
> +
> +optional_policy(`
> dbus_all_session_bus_client(games_t)
> dbus_connect_all_session_bus(games_t)
> + dbus_read_lib_files(games_t)
> + dbus_system_bus_client(games_t)
> ')
>
> optional_policy(`
> @@ -175,6 +184,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + xdg_read_config_files(games_t)
> + xdg_read_data_files(games_t)
> +')
> +
> +optional_policy(`
> xserver_user_x_domain_template(games, games_t, games_tmpfs_t)
> xserver_create_xdm_tmp_sockets(games_t)
> xserver_read_xdm_lib_files(games_t)
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.if
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.if
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.if
> @@ -38,7 +38,7 @@ interface(`mplayer_role',`
> domtrans_pattern($2, mencoder_exec_t, mencoder_t)
> domtrans_pattern($2, mplayer_exec_t, mplayer_t)
>
> - allow $2 { mplayer_t mencoder_t }:process { ptrace signal_perms };
> + allow $2 { mplayer_t mencoder_t }:process { getsched ptrace signal_perms };
> ps_process_pattern($2, { mplayer_t mencoder_t })
>
> allow $2 mplayer_home_t:dir { manage_dir_perms relabel_dir_perms };
> Index: refpolicy-2.20210126/policy/modules/apps/mplayer.te
> ===================================================================
> --- refpolicy-2.20210126.orig/policy/modules/apps/mplayer.te
> +++ refpolicy-2.20210126/policy/modules/apps/mplayer.te
> @@ -119,12 +119,16 @@ tunable_policy(`use_samba_home_dirs',`
> fs_manage_cifs_symlinks(mencoder_t)
> ')
>
> +tunable_policy(`xserver_allow_dri',`
> + dev_rw_dri(mplayer_t)
> +')
> +
> ########################################
> #
> # Mplayer local policy
> #
>
> -allow mplayer_t self:process { signal_perms getsched };
> +allow mplayer_t self:process { signal_perms getsched setsched };
> allow mplayer_t self:fifo_file rw_fifo_file_perms;
> allow mplayer_t self:sem create_sem_perms;
> allow mplayer_t self:udp_socket create_socket_perms;
> @@ -147,6 +151,7 @@ fs_tmpfs_filetrans(mplayer_t, mplayer_tm
> kernel_dontaudit_list_unlabeled(mplayer_t)
> kernel_dontaudit_getattr_unlabeled_files(mplayer_t)
> kernel_dontaudit_read_unlabeled_files(mplayer_t)
> +kernel_read_crypto_sysctls(mplayer_t)
> kernel_read_system_state(mplayer_t)
> kernel_read_kernel_sysctls(mplayer_t)
This looks like a duplicate patch.
--
Chris PeBenito
prev parent reply other threads:[~2021-02-02 19:12 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-02-02 15:04 [PATCH] small misc patches Russell Coker
2021-02-02 18:33 ` Chris PeBenito [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=b1dc3c80-35f4-a3fc-87d3-66b677b8df5e@ieee.org \
--to=pebenito@ieee.org \
--cc=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).