[DSE-Dev] current patches

Mon Jan 13 23:27:05 UTC 2014

The current policy patches from my tree seem good and uncontroversial (there's 
no other way of doing it).  The ssh patch probably isn't all that needs to be 
done (surely something is going to be done with that directory) but at this 
stage all we can do is allow the harmless actions that sshd is taking on my 
system.

How are we going to manage updates to the refpolicy package?  Should I just 
upload a new version with these patches?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/
-------------- next part --------------
Description: allow semanage to change the policy store
Author: Russell Coker <russell at coker.com.au>
Last-Update: 2014-01-12

--- refpolicy-2.20131214.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20131214/policy/modules/system/selinuxutil.te
@@ -102,6 +102,8 @@ role semanage_roles types semanage_t;
 
 type semanage_store_t;
 files_type(semanage_store_t)
+filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp")
+allow semanage_t semanage_store_t:lnk_file manage_lnk_file_perms;
 
 type semanage_read_lock_t;
 files_type(semanage_read_lock_t)
-------------- next part --------------
Description: Make the system work when unconfined.pp is not loaded
Author: Russell Coker <russell at coker.com.au>
Last-Update: 2014-01-12

--- a/policy/modules/roles/sysadm.te
+++ b/policy/modules/roles/sysadm.te
@@ -35,6 +35,9 @@
 
 init_exec(sysadm_t)
 
+# for sepolgen-ifgen
+selinux_read_policy(sysadm_t)
+
 # Add/remove user home directories
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
--- a/policy/modules/system/init.te
+++ b/policy/modules/system/init.te
@@ -67,6 +67,25 @@
 # but this has a typeattribute in it
 corecmd_shell_entry_type(initrc_t)
 
+# for init scripts when initrc_t is not unconfined
+allow initrc_t var_run_t:dir create;
+allow initrc_t tmpfs_t:file create;
+allow initrc_t var_lock_t:file create;
+allow initrc_t var_run_t:file write;
+fs_manage_tmpfs_dirs(initrc_t)
+
+# for creating /run/sendsigs.omit.d links
+allow initrc_t var_run_t:lnk_file create;
+
+# to touch /run/lock/.tmpfs
+allow initrc_t var_lock_t:file { write open };
+
+# to touch /run/shm/.tmpfs
+allow initrc_t tmpfs_t:file { write open };
+
+# for /run/network/ifstate
+sysnet_manage_config(initrc_t)
+
 type initrc_devpts_t;
 term_pty(initrc_devpts_t)
 files_type(initrc_devpts_t)
@@ -782,6 +801,7 @@
 
 optional_policy(`
 	postfix_list_spool(initrc_t)
+	postfix_read_config(initrc_t)
 ')
 
 optional_policy(`
-------------- next part --------------
Description: allow watchdog_t to read all pid files
Author: Russell Coker <russell at coker.com.au>
Last-Update: 2014-01-12

--- refpolicy-2.20131214.orig/policy/modules/contrib/watchdog.te
+++ refpolicy-2.20131214/policy/modules/contrib/watchdog.te
@@ -75,6 +75,8 @@ fs_search_auto_mountpoints(watchdog_t)
 
 auth_append_login_records(watchdog_t)
 
+files_read_all_pids(watchdog_t)
+
 logging_send_syslog_msg(watchdog_t)
 
 miscfiles_read_localization(watchdog_t)
-------------- next part --------------
Description: Support /run/sshd
Author: Russell Coker <russell at coker.com.au>
Last-Update: 2014-01-12

--- refpolicy-2.20131214.orig/policy/modules/services/ssh.fc
+++ refpolicy-2.20131214/policy/modules/services/ssh.fc
@@ -14,3 +14,4 @@ HOME_DIR/\.ssh(/.*)?			gen_context(syste
 /usr/sbin/sshd			--	gen_context(system_u:object_r:sshd_exec_t,s0)
 
 /var/run/sshd\.init\.pid	--	gen_context(system_u:object_r:sshd_var_run_t,s0)
+/var/run/sshd(/.*)?			gen_context(system_u:object_r:sshd_var_run_t,s0)
--- refpolicy-2.20131214.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20131214/policy/modules/services/ssh.te
@@ -35,6 +35,7 @@ init_daemon_domain(sshd_t, sshd_exec_t)
 
 ifdef(`distro_debian',`
 	init_daemon_run_dir(sshd_var_run_t, "sshd")
+	allow sshd_t sshd_var_run_t:dir { getattr search };
 ')
 
 type sshd_key_t;
