After a quick discussion with dominique, new attempt due to two issues:
1. No need (or even forbidden) to have "role $1 types foo_exec_t"
2. Suggestion to use the raid_run_mdadm name instead of raid_mdadm_role. The
idea here is to use raid_mdadm_role for prefixed domains (cfr. screen)
whereas raid_run_mdadm is to transition and run into a specific domain
Without wanting to (re?)start any discussion on prefixed versus non-prefixed
domains, such a naming convention could help us to keep the reference policy
cleaner (and naming conventions easy).
Also, refpolicy InterfaceNaming document only talks about run, not role.
So, without much further ado... ;-)
The system administrator (sysadm_r role) needs to use mdadm, but is not
allowed to use the mdadm_t type.
Rather than extend raid_domtrans_mdadm to allow this as well, use a
raid_mdadm_role (a bit more conform other role usages).
The other users of raid_domtrans_mdadm are all domains that run in system_r
role, which does have this type allowed (as per the system/raid.te
definition), so it wouldn't hurt to use raid_domtrans_mdadm for this.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During the installation of for instance java-config, Portage wants to set
its default file creation context to root:object_r:portage_tmp_t which isn't
allowed:
creating /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild
copying src/revdep-rebuild/60-java -> /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/etc/revdep-rebuild/
running install_egg_info
Writing /var/tmp/portage/dev-java/java-config-2.1.11-r3/temp/images/3.1/usr/lib64/python3.1/site-packages/java_config-2.1.11-py3.1.egg-info
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
cp: failed to set default file creation context to `root:object_r:portage_tmp_t': Permission denied
...
ERROR: dev-java/java-config-2.1.11-r3 failed:
Merging of intermediate installation image for Python ABI '2.6 into installation image failed
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
During installation of system packages like python, ustr, ... the
portage_sandbox_t domain requires ptrace capabilities.
If not allowed, the following error is returned:
/sbin/ldconfig -n /var/tmp/portage/dev-libs/ustr-1.0.4-r1/image//usr/lib64
ISE:_do_ptrace ^[[0mptrace(PTRACE_TRACEME, ..., 0x0000000000000000, 0x0000000000000000): Permission denied
/usr/lib/libsandbox.so(+0x3812)[0x7535af0ca812]
/usr/lib/libsandbox.so(+0x38a3)[0x7535af0ca8a3]
/usr/lib/libsandbox.so(+0x5595)[0x7535af0cc595]
/usr/lib/libsandbox.so(+0x5a87)[0x7535af0cca87]
/usr/lib/libsandbox.so(+0x68de)[0x7535af0cd8de]
/usr/lib/libsandbox.so(execvp+0x6c)[0x7535af0ceb3c]
make(+0x1159e)[0x337b918159e]
make(+0x11eec)[0x337b9181eec]
make(+0x12b34)[0x337b9182b34]
make(+0x1e759)[0x337b918e759]
/proc/5977/cmdline: make -j4 install
DESTDIR=/var/tmp/portage/dev-libs/ustr-1.0.4-r1/image/ HIDE=
libdir=/usr/lib64 mandir=/usr/share/man SHRDIR=/usr/share/doc/ustr-1.0.4-r1
DOCSHRDIR=/usr/share/doc/ustr-1.0.4-r1
This seems to be during a standard "make install" of the package but part of
Portage' sandbox usage (above error for ustr, but packages like python exhibit
the same problem.)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The installation of the wireshark package (and perhaps others) requires
portage setting file capabilities (through the setcap binary).
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The attached patch allows postgresql_t domain to read selabel definition files
(such as /etc/selinux/targeted/contexts/sepgsql_contexts).
The upcoming version (v9.1) uses selabel_lookup(3) to assign initial security context
of database objects, we need to allow this reference.
Thanks,
--
NEC Europe Ltd, SAP Global Competence Center
KaiGai Kohei <kohei.kaigai@eu.nec.com>
Allow mplayer to behave as a plugin for higher-level (interactive)
applications, such as browser plugins
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
In order to work with webcams, mplayer domain needs write access to the
v4l_device_t (updates and reconfiguration of the video device)
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Updates on the file contexts, supporting AMD64 multilib environment
( Patch 10 has been revoked a-la-last-minute, needs further testing )
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
postalias should stay bin_t, is manually executed (no role executes
postfix_master_exec_t as it is only to be launched through init scripts).
The postalias command is used to regenerate the aliases.db file from the
mail aliases and as such is a system administrative activity. However, by
default, no role has execute rights on any postfix_master_exec_t domains as
the domain is apparently meant only to be started from the run_init_t
domain.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Cyrus sasl by default looks in /var/lib/sasl2 for its PID file, socket
creation and lock files.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
Update on the file contexts for courier-imap. Also fixes a few context
directives which didn't update the directory itself.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
The alsactl binary is often installed in /usr/sbin instead of /sbin (not a
necessity to start up the system). Used in distributions such as Gentoo,
Slackware and Arch.
Signed-off-by: Sven Vermeulen <sven.vermeulen@siphos.be>
When starting the X server from the console (using the startx script
that is being shipped with package xinit from X.Org), a few more
permissions are needed from the reference policy.
The label is for a file created by the startx script (from X.Org) and
the module being requested is ipv6 (which can be disabled by other
means).
