[DSE-Dev] policy patch

Russell Coker russell at coker.com.au
Sat Oct 13 08:06:06 UTC 2012 

I've attached my latest patch against the policy in wheezy, below is the 
changelog entry.  Could whoever is doing the next upload please include this?

Sorry for the lack of response to the last request, I'm trying to get back on 
track now.

  * Label ~/.adobe(/.*)? as mozilla_home_t for flash
  * Allow user_t etc to access mozilla_t classes shm and sem for sharing the
    sound device
  * Label /usr/sbin/opendkim as dkim_milter_exec_t
  * Make postfix.pp not depend on unconfined.pp for "strict" configurations
  * Label postalias as postfix_master_exec_t for newaliases
  * Allow watchdog_t to read syslog pid files for process watching
  * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
  * Allow systemd_passwd_agent_t access to search selinuxfs and write to
    the console for getting a password for encrypted filesystems
  * Label /sbin/xtables-multi (the new iptables) as iptables_exec_t
  * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
  * Allow user_t to access mozilla_tmp_t
  * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t
  * Label port 5546 as dhcpc_port_t for the client control port and allow
    dhcpc_t to bind to it for TCP
  * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
    Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
    Label /usr/lib/dovecot/(.*/)?lib.*\.so.* as lib_t
    Closes: #690225

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
Description: Misc minor stuff for wheezy update
Last-Update: 2012-10-11 
.
 refpolicy (2:2.20110726-11.1) unstable; urgency=low
 .
   * Label ~/.adobe(/.*)? as mozilla_home_t for flash
   * Allow user_t etc to access mozilla_t classes shm and sem for sharing the
     sound device
   * Label /usr/sbin/opendkim as dkim_milter_exec_t
   * Make postfix.pp not depend on unconfined.pp for "strict" configurations
   * Label postalias as postfix_master_exec_t for newaliases
   * Allow watchdog_t to read syslog pid files for process watching
   * Allow lvm_t (systemd-cryptsetup) systemd_manage_passwd_run() access
   * Allow systemd_passwd_agent_t access to search selinuxfs and write to
     the console for getting a password for encrypted filesystems
   * Label /sbin/xtables-multi (the new iptables) as iptables_exec_t
   * Label /run/pm-utils(/.*)? as devicekit_var_run_t not hald_var_run_t
   * Allow user_t to access mozilla_tmp_t
   * Label /usr/lib/kde4/libexec/* and /usr/lib/gvfs/* as bin_t
   * Label port 5546 as dhcpc_port_t for the client control port and allow
     dhcpc_t to bind to it for TCP
   * Label /usr/lib/dovecot/auth as dovecot_auth_exec_t.
     Label /usr/lib/dovecot/dovecot-lda as lda_exec_t
     Label /usr/lib/dovecot/libdovecot.*\.so.* as lib_t
     Closes: #690225
Author: Russell Coker <russell at coker.com.au>
Bug-Debian: http://bugs.debian.org/690225

---
The information above should follow the Patch Tagging Guidelines, please
checkout http://dep.debian.net/deps/dep3/ to learn about the format. Here
are templates for supplementary fields that you might want to add:

Origin: <vendor|upstream|other>, <url of original patch>
Bug: <url in upstream bugtracker>
Bug-Debian: http://bugs.debian.org/<bugnumber>
Bug-Ubuntu: https://launchpad.net/bugs/<bugnumber>
Forwarded: <no|not-needed|url proving that it has been forwarded>
Reviewed-By: <name and email of someone who approved the patch>
Last-Update: <YYYY-MM-DD>

--- a/policy/modules/apps/mozilla.fc
+++ b/policy/modules/apps/mozilla.fc
@@ -8,6 +8,7 @@
 HOME_DIR/\.fontconfig(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/Downloads(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/.macromedia(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
+HOME_DIR/.adobe(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 HOME_DIR/.pki(/.*)?		gen_context(system_u:object_r:mozilla_home_t,s0)
 
 #
--- a/policy/modules/apps/mozilla.if
+++ b/policy/modules/apps/mozilla.if
@@ -17,7 +17,7 @@
 #
 interface(`mozilla_role',`
 	gen_require(`
-		type mozilla_t, chrome_sandbox_t, mozilla_exec_t, chrome_browser_exec_t, mozilla_home_t;
+		type mozilla_t, chrome_sandbox_t, mozilla_exec_t, chrome_browser_exec_t, mozilla_home_t, mozilla_tmpfs_t, mozilla_tmp_t;
 	')
 
 	role $1 types { mozilla_t chrome_sandbox_t };
@@ -33,18 +33,21 @@
 	ps_process_pattern($2, mozilla_t)
 	allow $2 mozilla_t:process signal_perms;
 
+	# for sharing the sound device
+	allow $2 mozilla_t:shm { rw_shm_perms destroy };
+	allow $2 mozilla_t:sem { rw_sem_perms destroy };
+	allow $2 mozilla_tmpfs_t:file rw_file_perms;
+
 	allow $2 mozilla_t:fd use;
-	allow $2 mozilla_t:shm { associate getattr };
-	allow $2 mozilla_t:shm { unix_read unix_write };
 	allow $2 mozilla_t:unix_stream_socket connectto;
 
 	# X access, Home files
-	manage_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
-	manage_files_pattern($2, mozilla_home_t, mozilla_home_t)
-	manage_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
-	relabel_dirs_pattern($2, mozilla_home_t, mozilla_home_t)
-	relabel_files_pattern($2, mozilla_home_t, mozilla_home_t)
-	relabel_lnk_files_pattern($2, mozilla_home_t, mozilla_home_t)
+	manage_dirs_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
+	manage_files_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
+	manage_lnk_files_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
+	relabel_dirs_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
+	relabel_files_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
+	relabel_lnk_files_pattern($2, { mozilla_home_t mozilla_tmp_t }, { mozilla_home_t mozilla_tmp_t })
 
 	mozilla_run_plugin(mozilla_t, $1)
 	mozilla_dbus_chat($2)
--- a/policy/modules/kernel/corecommands.fc
+++ b/policy/modules/kernel/corecommands.fc
@@ -195,6 +195,8 @@
 
 /usr/(.*/)?sbin(/.*)?			gen_context(system_u:object_r:bin_t,s0)
 /usr/lib(.*/)?sbin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/gvfs/.*		--	gen_context(system_u:object_r:bin_t,s0)
 
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/fence(/.*)?			gen_context(system_u:object_r:bin_t,s0)
--- a/policy/modules/kernel/corenetwork.te.in
+++ b/policy/modules/kernel/corenetwork.te.in
@@ -95,7 +95,7 @@
 network_port(dbskkd, tcp,1178,s0)
 network_port(dcc, udp,6276,s0, udp,6277,s0)
 network_port(dccm, tcp,5679,s0, udp,5679,s0)
-network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0)
+network_port(dhcpc, udp,68,s0, tcp,68,s0, udp,546,s0, tcp, 546,s0, udp,5546,s0, tcp, 5546,s0)
 network_port(dhcpd, udp,67,s0, udp,547,s0, tcp, 547,s0, udp,548,s0, tcp, 548,s0, tcp,647,s0, udp,647,s0, tcp,847,s0, udp,847,s0, tcp,7911,s0)
 network_port(dict, tcp,2628,s0)
 network_port(distccd, tcp,3632,s0)
--- a/policy/modules/services/dkim.fc
+++ b/policy/modules/services/dkim.fc
@@ -1,6 +1,7 @@
 /etc/mail/dkim-milter/keys(/.*)?	gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
 /usr/sbin/dkim-filter		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
+/usr/sbin/opendkim		--	gen_context(system_u:object_r:dkim_milter_exec_t,s0)
 
 /var/db/dkim(/.*)?			gen_context(system_u:object_r:dkim_milter_private_key_t,s0)
 
--- a/policy/modules/services/postfix.if
+++ b/policy/modules/services/postfix.if
@@ -188,7 +188,9 @@
 	allow postfix_$1_t self:capability dac_override;
 
 	domtrans_pattern(postfix_user_domtrans, postfix_$1_exec_t, postfix_$1_t)
-	in_unconfined_r(postfix_$1_t)
+	optional_policy(`
+		in_unconfined_r(postfix_$1_t)
+	')
 
 	domain_use_interactive_fds(postfix_$1_t)
 ')
--- a/policy/modules/services/watchdog.te
+++ b/policy/modules/services/watchdog.te
@@ -93,6 +93,10 @@
 ')
 
 optional_policy(`
+	logging_read_syslog_pid_file(watchdog_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(watchdog_t)
 ')
 
--- a/policy/modules/services/hal.fc
+++ b/policy/modules/services/hal.fc
@@ -24,7 +24,6 @@
 /var/run/hald(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/haldaemon\.pid	--	 		gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/pm(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
-/var/run/pm-utils(/.*)?				gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/synce.*	 			gen_context(system_u:object_r:hald_var_run_t,s0)
 /var/run/vbe.*	 	--			gen_context(system_u:object_r:hald_var_run_t,s0)
 
--- a/policy/modules/services/devicekit.fc
+++ b/policy/modules/services/devicekit.fc
@@ -17,3 +17,4 @@
 /var/run/DeviceKit-disks(/.*)?		gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/udisks(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
 /var/run/upower(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
+/var/run/pm-utils(/.*)?			gen_context(system_u:object_r:devicekit_var_run_t,s0)
--- a/policy/modules/services/postfix.fc
+++ b/policy/modules/services/postfix.fc
@@ -34,6 +34,7 @@
 ')
 /etc/postfix/postfix-script.* -- gen_context(system_u:object_r:postfix_exec_t,s0)
 /etc/postfix/prng_exch	--	gen_context(system_u:object_r:postfix_prng_t,s0)
+/usr/sbin/postalias	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postcat	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
 /usr/sbin/postdrop	--	gen_context(system_u:object_r:postfix_postdrop_exec_t,s0)
 /usr/sbin/postfix	--	gen_context(system_u:object_r:postfix_master_exec_t,s0)
--- a/policy/modules/services/dovecot.fc
+++ b/policy/modules/services/dovecot.fc
@@ -24,7 +24,7 @@
 /usr/share/ssl/private/dovecot\.pem --	gen_context(system_u:object_r:dovecot_cert_t,s0)
 
 ifdef(`distro_debian', `
-/usr/lib/dovecot/dovecot-auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
+/usr/lib/dovecot/auth 	--	gen_context(system_u:object_r:dovecot_auth_exec_t,s0)
 ')
 
 ifdef(`distro_redhat', `
--- a/policy/modules/services/lda.fc
+++ b/policy/modules/services/lda.fc
@@ -2,7 +2,7 @@
 /usr/bin/procmail	--	gen_context(system_u:object_r:lda_exec_t,s0)
 /usr/bin/maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
 /usr/sbin/deliverquota.maildrop	--	gen_context(system_u:object_r:lda_exec_t,s0)
-/usr/lib/dovecot/deliver --	gen_context(system_u:object_r:lda_exec_t,s0)
+/usr/lib/dovecot/dovecot-lda -- gen_context(system_u:object_r:lda_exec_t,s0)
 /usr/bin/mailbot	--	gen_context(system_u:object_r:lda_exec_t,s0)
 
 /etc/courier/maildroprc	--	gen_context(system_u:object_r:lda_etc_t,s0)
--- a/policy/modules/system/logging.if
+++ b/policy/modules/system/logging.if
@@ -607,6 +607,24 @@
 
 ########################################
 ## <summary>
+##	Read the syslogd pid file
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`logging_read_syslog_pid_file',`
+	gen_require(`
+		type syslogd_var_run_t;
+	')
+
+	allow $1 syslogd_var_run_t:file read_file_perms;
+')
+
+########################################
+## <summary>
 ##	Connect to the syslog control unix stream socket.
 ## </summary>
 ## <param name="domain">
--- a/policy/modules/system/lvm.te
+++ b/policy/modules/system/lvm.te
@@ -328,6 +328,10 @@
 ')
 
 optional_policy(`
+	systemd_manage_passwd_run(lvm_t)
+')
+
+optional_policy(`
 	bootloader_rw_tmp_files(lvm_t)
 ')
 
--- a/policy/modules/system/systemd.te
+++ b/policy/modules/system/systemd.te
@@ -203,14 +203,12 @@
 init_stream_connect(systemd_passwd_agent_t)
 
 miscfiles_read_localization(systemd_passwd_agent_t)
-
+selinux_getattr_fs(systemd_passwd_agent_t)
+selinux_search_fs(systemd_passwd_agent_t)
+term_write_console(systemd_passwd_agent_t)
 userdom_use_user_ptys(systemd_passwd_agent_t)
 
 optional_policy(`
-	lvm_signull(systemd_passwd_agent_t)
-')
-
-optional_policy(`
 	plymouthd_stream_connect(systemd_passwd_agent_t)
 ')
 
--- a/policy/modules/system/iptables.fc
+++ b/policy/modules/system/iptables.fc
@@ -15,6 +15,7 @@
 /sbin/ipvsadm			--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipvsadm-restore		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /sbin/ipvsadm-save		--	gen_context(system_u:object_r:iptables_exec_t,s0)
+/sbin/xtables-multi		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 
 /usr/sbin/ipchains.*		--	gen_context(system_u:object_r:iptables_exec_t,s0)
 /usr/sbin/iptables		--	gen_context(system_u:object_r:iptables_exec_t,s0)
--- a/policy/modules/system/sysnetwork.te
+++ b/policy/modules/system/sysnetwork.te
@@ -101,6 +101,7 @@
 corenet_udp_sendrecv_all_ports(dhcpc_t)
 corenet_tcp_bind_all_nodes(dhcpc_t)
 corenet_udp_bind_all_nodes(dhcpc_t)
+corenet_tcp_bind_dhcpc_port(dhcpc_t)
 corenet_udp_bind_dhcpc_port(dhcpc_t)
 corenet_tcp_connect_all_ports(dhcpc_t)
 corenet_sendrecv_dhcpd_client_packets(dhcpc_t)
--- a/policy/modules/system/libraries.fc
+++ b/policy/modules/system/libraries.fc
@@ -44,6 +44,7 @@
 /lib32/.*					gen_context(system_u:object_r:lib_t,s0)
 /lib32/ld-[^/]*\.so(\.[^/]*)*		--	gen_context(system_u:object_r:ld_so_t,s0)
 /lib32/security/pam_poldi\.so		--	gen_context(system_u:object_r:textrel_shlib_t,s0)
+/usr/lib/dovecot/(.*/)?lib.*\.so.*	--	gen_context(system_u:object_r:lib_t,s0)
 # for http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=677468
 /usr/lib/i386-linux-gnu/i686/cmov/libcrypto.so.1.0.0 -- gen_context(system_u:object_r:textrel_shlib_t,s0)
 ', `

More information about the SELinux-devel mailing list