From: Russell Coker <russell@coker.com.au>
To: selinux-refpolicy@vger.kernel.org
Subject: [PATCH] type transition rules for Debian installations
Date: Sat, 30 Jan 2021 04:15:04 +1100 [thread overview]
Message-ID: <YBRCmE+xtcaupuQo@xev> (raw)
This patch has named type transition rules for the creation of directories
without specifying the type, hopefully these will be removed at some future
time when the package maintainer does things differently, but that won't
happen soon.
Signed-off-by: Russell Coker <russell@coker.com.au>
Index: refpolicy-2.20210129/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210129/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')
- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')
#######################################
Index: refpolicy-2.20210129/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210129/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)
init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
')
optional_policy(`
+ aptcacher_create_cache_dir(dpkg_script_t)
+ aptcacher_create_conf_dir(dpkg_script_t)
+ aptcacher_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')
optional_policy(`
+ clamav_create_freshclam_log(dpkg_script_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')
@@ -327,6 +338,11 @@ optional_policy(`
')
optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
nis_use_ypbind(dpkg_script_t)
')
Index: refpolicy-2.20210129/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210129/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210129/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210129/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`
########################################
## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mysqld home files.
## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')
logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')
+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
Index: refpolicy-2.20210129/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210129/policy/modules/services/clamav.if
@@ -430,3 +430,21 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_create_freshclam_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
Index: refpolicy-2.20210129/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210129/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_create_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210129/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210129/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_create_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210129/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210129.orig/policy/modules/system/init.te
+++ refpolicy-2.20210129/policy/modules/system/init.te
@@ -1287,6 +1287,10 @@ optional_policy(`
')
optional_policy(`
+ ftp_create_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
rpc_read_exports(initrc_t)
')
reply other threads:[~2021-01-29 17:18 UTC|newest]
Thread overview: [no followups] expand[flat|nested] mbox.gz Atom feed
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=YBRCmE+xtcaupuQo@xev \
--to=russell@coker.com.au \
--cc=selinux-refpolicy@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for read-only IMAP folder(s) and NNTP newsgroup(s).