Re: SE Linux policy update

To: "Adam D. Barratt" <adam@adam-barratt.org.uk>
Cc: debian-release@lists.debian.org
Subject: Re: SE Linux policy update
From: Russell Coker <russell@coker.com.au>
Date: Sat, 19 Mar 2011 14:58:28 +1100
Message-id: <[🔎] 201103191458.29020.russell@coker.com.au>
Reply-to: russell@coker.com.au
In-reply-to: <[🔎] 1299872641.24129.78.camel@hathi.jungle.funky-badger.org>
References: <[🔎] 201103112321.54091.russell@coker.com.au> <[🔎] 1299872641.24129.78.camel@hathi.jungle.funky-badger.org>

On Sat, 12 Mar 2011, "Adam D. Barratt" <adam@adam-barratt.org.uk> wrote:
> On Fri, 2011-03-11 at 23:21 +1100, Russell Coker wrote:
> > The user friendly change list is that this makes USB flash storage
> > devices usable by default on the desktop, Iceweasel works correctly,
> > upowerd is run correctly in the devicekit_power_t domain, KDE mysqld
> > access works, fetchmail works as a daemon, Xen starts DomUs on boot, and
> > NetworkManager and similar programs (such as wicd) give more
> > functionality.
> > 
> > These are all serious updates that can be considered as "a truly critical
> > functionality problem" for some users.
> 
> "Truly critical for some users" is a fairly large set of issues,
> particularly for small values of "some".  Have all of your proposed
> changes been tested on Squeeze systems to ensure that they operate
> correctly in that environment and don't introduce any regressions?

They have all been tested on multiple systems.  Also many of the changes are 
related to things that didn't work at all previously so there was little scope 
for regression.

> > I've attached a full diff between the version in Squeeze and my proposed
> > update.
> > 
> > Please let me know what else I have to do to get this included.
> > 
> >  refpolicy (2:0.2.20100524-8) unstable; urgency=low
> 
> For stable that will want to be -7+squeeze1 (or I suppose -8~squeeze1 if
> you want and all of the fixes get acked).

OK.

> >    * Add tunable user_manage_dos_files which defaults to true
> 
> What's the current behaviour?  All users can manage such files, or none
> can?

None.

> >    * Correctly label /usr/lib/xulrunner-1.9.1/xulrunner-stub
> >    * Allow mozilla to create directories under /tmp
> >    * Use correct label for /usr/lib/libgconf2-4/gconfd-2 and load
> >    gnome.pp on
> >    
> >      installation if libgconf2-4 is installed
> >    
> >    * Use correct label for /usr/lib/upower/upowerd
> >    * Dontaudit bind_t write attempts to / for lwresd calling access(".",
> >    W_OK)
> 
> "Don't audit"

Stops filling the logs when the daemon is just asking whether the directory is 
writable.
 
> >    * Allow user domains to execute mysqld_exec_t, for KDE
> >    * Allow user_dbusd_t to execute gconfd_exec_t in user_gconfd_t.
> 
> That's this change?
> 
> +
> +       optional_policy(`
> +               gnome_role($2, $1_dbusd_t)
> +       ')
>  ')
> 
> Apologies if I'm missing something, but that doesn't appear to be
> gconfd-specific at all.

Below is the definition of gnome_role, when it is called the first parameter 
$1 equals the second parameter $2 from the above optional_policy and $2 is the 
$1_dbusd_t.  So it substitutes to domain_auto_trans($1_dbusd_t, gconfd_exec_t, 
gconfd_t).  That matches the description in the changelog.

interface(`gnome_role',`
        gen_require(`
                type gconfd_t, gconfd_exec_t;
                type gconf_tmp_t;
        ')

        role $1 types gconfd_t;

        7+squeeze1
        allow gconfd_t $2:fd use;
        allow gconfd_t $2:fifo_file write;
        allow gconfd_t $2:unix_stream_socket connectto;

        ps_process_pattern($2, gconfd_t)

        #gnome_stream_connect_gconf_template($1, $2)
        read_files_pattern($2, gconf_tmp_t, gconf_tmp_t)
        allow $2 gconfd_t:unix_stream_socket connectto;
')

> diff -ru /tmp/t/refpolicy//policy/modules/kernel/files.fc
> ./policy/modules/kernel/files.fc ---
> /tmp/t/refpolicy//policy/modules/kernel/files.fc    2011-03-11
> 23:19:40.372420590 +1100 +++ ./policy/modules/kernel/files.fc   
> 2011-02-10 13:04:15.583492220 +1100 @@ -119,7 +119,7 @@
>  #
>  # Mount points; do not relabel subdirectories, since
>  # we don't want to change any removable media by default.
> -/media(/[^/]*)         -l      gen_context(system_u:object_r:mnt_t,s0)
> +/media/[^/]*           -l      gen_context(system_u:object_r:mnt_t,s0)
> 
> Is this part of one of the items mentioned in the changelog?  If so,
> which one?  My possibly naive assumption was that the above is a no-op
> change.

You are correct, I've removed that now.

> diff -ru /tmp/t/refpolicy//policy/modules/services/mysql.te
> ./policy/modules/services/mysql.te ---
> /tmp/t/refpolicy//policy/modules/services/mysql.te  2011-03-11
> 23:19:40.360430274 +1100 +++ ./policy/modules/services/mysql.te 
> 2011-02-09 10:18:33.395481018 +1100 @@ -242,3 +242,4 @@
>  miscfiles_read_localization(mysqlmanagerd_t)
> 
>  userdom_getattr_user_home_dirs(mysqlmanagerd_t)
> +
> 
> Was there supposed to be a change included there, other than the
> presumably spuriously added newline?

Again you are correct, I've removed that too.

Now what's the procedure for uploading it?  Do I just replace "unstable" with 
"stable" in the changelog, use the version number you requested, and then 
upload it?

-- 
My Main Blog         http://etbe.coker.com.au/
My Documents Blog    http://doc.coker.com.au/

Reply to:

Follow-Ups:
- Re: SE Linux policy update
  - From: Russell Coker <russell@coker.com.au>
- Re: SE Linux policy update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

References:
- SE Linux policy update
  - From: Russell Coker <russell@coker.com.au>
- Re: SE Linux policy update
  - From: "Adam D. Barratt" <adam@adam-barratt.org.uk>

Prev by Date: Re: [php-maint] Updates to gmp dependent packages
Next by Date: Re: SE Linux policy update
Previous by thread: Re: SE Linux policy update
Next by thread: Re: SE Linux policy update
Index(es):
- Date
- Thread