The current policy patches from my tree seem good and uncontroversial (there's no other way of doing it). The ssh patch probably isn't all that needs to be done (surely something is going to be done with that directory) but at this stage all we can do is allow the harmless actions that sshd is taking on my system.
How are we going to manage updates to the refpolicy package? Should I just upload a new version with these patches? -- My Main Blog http://etbe.coker.com.au/ My Documents Blog http://doc.coker.com.au/
Description: allow semanage to change the policy store Author: Russell Coker <[email protected]> Last-Update: 2014-01-12 --- refpolicy-2.20131214.orig/policy/modules/system/selinuxutil.te +++ refpolicy-2.20131214/policy/modules/system/selinuxutil.te @@ -102,6 +102,8 @@ role semanage_roles types semanage_t; type semanage_store_t; files_type(semanage_store_t) +filetrans_pattern(semanage_t, selinux_config_t, semanage_store_t, dir, "tmp") +allow semanage_t semanage_store_t:lnk_file manage_lnk_file_perms; type semanage_read_lock_t; files_type(semanage_read_lock_t)
Description: Make the system work when unconfined.pp is not loaded Author: Russell Coker <[email protected]> Last-Update: 2014-01-12 --- a/policy/modules/roles/sysadm.te +++ b/policy/modules/roles/sysadm.te @@ -35,6 +35,9 @@ init_exec(sysadm_t) +# for sepolgen-ifgen +selinux_read_policy(sysadm_t) + # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) --- a/policy/modules/system/init.te +++ b/policy/modules/system/init.te @@ -67,6 +67,25 @@ # but this has a typeattribute in it corecmd_shell_entry_type(initrc_t) +# for init scripts when initrc_t is not unconfined +allow initrc_t var_run_t:dir create; +allow initrc_t tmpfs_t:file create; +allow initrc_t var_lock_t:file create; +allow initrc_t var_run_t:file write; +fs_manage_tmpfs_dirs(initrc_t) + +# for creating /run/sendsigs.omit.d links +allow initrc_t var_run_t:lnk_file create; + +# to touch /run/lock/.tmpfs +allow initrc_t var_lock_t:file { write open }; + +# to touch /run/shm/.tmpfs +allow initrc_t tmpfs_t:file { write open }; + +# for /run/network/ifstate +sysnet_manage_config(initrc_t) + type initrc_devpts_t; term_pty(initrc_devpts_t) files_type(initrc_devpts_t) @@ -782,6 +801,7 @@ optional_policy(` postfix_list_spool(initrc_t) + postfix_read_config(initrc_t) ') optional_policy(`
Description: allow watchdog_t to read all pid files Author: Russell Coker <[email protected]> Last-Update: 2014-01-12 --- refpolicy-2.20131214.orig/policy/modules/contrib/watchdog.te +++ refpolicy-2.20131214/policy/modules/contrib/watchdog.te @@ -75,6 +75,8 @@ fs_search_auto_mountpoints(watchdog_t) auth_append_login_records(watchdog_t) +files_read_all_pids(watchdog_t) + logging_send_syslog_msg(watchdog_t) miscfiles_read_localization(watchdog_t)
Description: Support /run/sshd Author: Russell Coker <[email protected]> Last-Update: 2014-01-12 --- refpolicy-2.20131214.orig/policy/modules/services/ssh.fc +++ refpolicy-2.20131214/policy/modules/services/ssh.fc @@ -14,3 +14,4 @@ HOME_DIR/\.ssh(/.*)? gen_context(syste /usr/sbin/sshd -- gen_context(system_u:object_r:sshd_exec_t,s0) /var/run/sshd\.init\.pid -- gen_context(system_u:object_r:sshd_var_run_t,s0) +/var/run/sshd(/.*)? gen_context(system_u:object_r:sshd_var_run_t,s0) --- refpolicy-2.20131214.orig/policy/modules/services/ssh.te +++ refpolicy-2.20131214/policy/modules/services/ssh.te @@ -35,6 +35,7 @@ init_daemon_domain(sshd_t, sshd_exec_t) ifdef(`distro_debian',` init_daemon_run_dir(sshd_var_run_t, "sshd") + allow sshd_t sshd_var_run_t:dir { getattr search }; ') type sshd_key_t;
_______________________________________________ SELinux-devel mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/selinux-devel
