From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc network patches
Date: Wed, 20 Jan 2021 20:42:21 +1100 [thread overview]
Message-ID: <YAf6/c8XKLACDF9P@xev> (raw)
Collection of net related patches, ready for inclusion.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210120/policy/modules/admin/netutils.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/admin/netutils.te
+++ refpolicy-2.20210120/policy/modules/admin/netutils.te
@@ -109,6 +109,7 @@ allow ping_t self:tcp_socket create_sock
allow ping_t self:rawip_socket { create ioctl read write bind getopt setopt getattr };
allow ping_t self:packet_socket { create ioctl read write bind getopt setopt };
allow ping_t self:netlink_route_socket create_netlink_socket_perms;
+allow ping_t self:icmp_socket create;
corenet_all_recvfrom_netlabel(ping_t)
corenet_sendrecv_icmp_packets(ping_t)
@@ -164,13 +165,14 @@ allow traceroute_t self:capability { net
allow traceroute_t self:fifo_file rw_inherited_fifo_file_perms;
allow traceroute_t self:process signal;
allow traceroute_t self:rawip_socket create_socket_perms;
-allow traceroute_t self:packet_socket create_socket_perms;
+allow traceroute_t self:packet_socket { map create_socket_perms };
allow traceroute_t self:udp_socket create_socket_perms;
can_exec(traceroute_t, traceroute_exec_t)
kernel_read_system_state(traceroute_t)
kernel_read_network_state(traceroute_t)
+kernel_search_fs_sysctls(traceroute_t)
corecmd_search_bin(traceroute_t)
@@ -205,6 +207,7 @@ auth_use_nsswitch(traceroute_t)
logging_send_syslog_msg(traceroute_t)
+miscfiles_read_generic_certs(traceroute_t)
miscfiles_read_localization(traceroute_t)
userdom_use_inherited_user_terminals(traceroute_t)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
/etc/dhcp3?/dhclient.* gen_context(system_u:object_r:dhcp_etc_t,s0)
/etc/systemd/network(/.*)? gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf -- gen_context(system_u:object_r:net_conf_t,s0)
ifdef(`distro_redhat',`
/etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20210120/policy/modules/system/sysnetwork.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/sysnetwork.te
+++ refpolicy-2.20210120/policy/modules/system/sysnetwork.te
@@ -5,6 +5,14 @@ policy_module(sysnetwork, 1.26.3)
# Declarations
#
+## <desc>
+## <p>
+## Determine whether DHCP client
+## can manage samba
+## </p>
+## </desc>
+gen_tunable(dhcpc_manage_samba, false)
+
attribute_role dhcpc_roles;
roleattribute system_r dhcpc_roles;
@@ -175,6 +183,15 @@ ifdef(`init_systemd',`
')
optional_policy(`
+ tunable_policy(`dhcpc_manage_samba',`
+ samba_manage_var_files(dhcpc_t)
+ init_exec_script_files(dhcpc_t)
+ init_get_system_status(dhcpc_t)
+ samba_restart(dhcpc_t)
+ ')
+')
+
+optional_policy(`
avahi_domtrans(dhcpc_t)
')
Index: refpolicy-2.20210120/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20210120/policy/modules/roles/staff.te
@@ -15,6 +15,10 @@ userdom_unpriv_user_template(staff)
#
corenet_ib_access_unlabeled_pkeys(staff_t)
+corenet_tcp_bind_all_unreserved_ports(staff_t)
+corenet_udp_bind_all_unreserved_ports(staff_t)
+corenet_tcp_bind_generic_node(staff_t)
+
optional_policy(`
apache_role(staff_r, staff_t)
')
@@ -36,6 +40,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(staff_t)
+')
+
+optional_policy(`
postgresql_role(staff_r, staff_t)
')
@@ -65,6 +73,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(staff_t)
+')
+
+optional_policy(`
xscreensaver_role(staff_r, staff_t)
')
Index: refpolicy-2.20210120/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20210120/policy/modules/roles/unprivuser.te
@@ -7,11 +7,23 @@ policy_module(unprivuser, 2.10.0)
#
# Declarations
#
+## <desc>
+## <p>
+## Allow user to bind all unreserved ports
+## </p>
+## </desc>
+gen_tunable(user_bind_unreserved, false)
#role user_r;
userdom_unpriv_user_template(user)
+tunable_policy(`user_bind_unreserved', `
+ corenet_tcp_bind_all_unreserved_ports(user_t)
+ corenet_udp_bind_all_unreserved_ports(user_t)
+ corenet_tcp_bind_generic_node(user_t)
+')
+
optional_policy(`
apache_role(user_r, user_t)
')
@@ -25,6 +37,10 @@ optional_policy(`
')
optional_policy(`
+ netutils_domtrans_ping(user_t)
+')
+
+optional_policy(`
screen_role_template(user, user_r, user_t)
')
@@ -33,6 +49,11 @@ optional_policy(`
')
optional_policy(`
+ # for torbrowser-launcher
+ xdg_exec_data(user_t)
+')
+
+optional_policy(`
xscreensaver_role(user_r, user_t)
')
Index: refpolicy-2.20210120/policy/modules/services/samba.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/samba.if
+++ refpolicy-2.20210120/policy/modules/services/samba.if
@@ -729,3 +729,22 @@ interface(`samba_admin',`
files_list_tmp($1)
admin_pattern($1, { swat_tmp_t smbd_tmp_t winbind_tmp_t })
')
+
+########################################
+## <summary>
+## Restart and get status of samba daemon
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`samba_restart',`
+ gen_require(`
+ type samba_unit_t;
+ ')
+
+ allow $1 samba_unit_t:file getattr;
+ allow $1 samba_unit_t:service { start stop status reload };
+')
Index: refpolicy-2.20210120/policy/modules/system/xdg.if
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/system/xdg.if
+++ refpolicy-2.20210120/policy/modules/system/xdg.if
@@ -921,6 +921,24 @@ interface(`xdg_watch_documents_dirs',`
########################################
## <summary>
+## Allow executing the xdg data home files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`xdg_exec_data',`
+ gen_require(`
+ type xdg_data_t;
+ ')
+
+ can_exec($1, xdg_data_t)
+')
+
+########################################
+## <summary>
## Create objects in the user home dir with an automatic type transition to
## the xdg_documents_t type.
## </summary>
Index: refpolicy-2.20210120/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mon.te
+++ refpolicy-2.20210120/policy/modules/services/mon.te
@@ -58,6 +58,9 @@ manage_files_pattern(mon_t, mon_var_log_
manage_files_pattern(mon_t, mon_runtime_t, mon_runtime_t)
files_runtime_filetrans(mon_t, mon_runtime_t, file)
+# to read fips_enabled
+kernel_read_crypto_sysctls(mon_t)
+
kernel_read_kernel_sysctls(mon_t)
kernel_read_network_state(mon_t)
kernel_read_system_state(mon_t)
Index: refpolicy-2.20210120/policy/modules/services/mailman.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/mailman.te
+++ refpolicy-2.20210120/policy/modules/services/mailman.te
@@ -112,6 +112,7 @@ corecmd_exec_bin(mailman_cgi_t)
dev_read_urand(mailman_cgi_t)
files_search_locks(mailman_cgi_t)
+files_read_usr_files(mailman_cgi_t)
term_use_controlling_term(mailman_cgi_t)
Index: refpolicy-2.20210120/policy/modules/services/dkim.te
===================================================================
--- refpolicy-2.20210120.orig/policy/modules/services/dkim.te
+++ refpolicy-2.20210120/policy/modules/services/dkim.te
@@ -35,6 +35,7 @@ kernel_read_vm_overcommit_sysctl(dkim_mi
corenet_udp_bind_generic_node(dkim_milter_t)
corenet_udp_bind_all_unreserved_ports(dkim_milter_t)
+corenet_udp_bind_generic_port(dkim_milter_t)
dev_read_urand(dkim_milter_t)
# for cpu/online
next reply other threads:[~2021-01-20 11:12 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-20 9:42 Russell Coker [this message]
2021-01-20 13:23 ` [PATCH] misc network patches Dominick Grift
2021-01-27 7:00 ` Russell Coker
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YAf6/c8XKLACDF9P@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).