2021-02-01 06:41:03

by Russell Coker

[permalink] [raw]
Subject: [PATCH] new version of filetrans patch

Name changes suggested by Dominick and some more additions.

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20210130/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210130/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
## Domain allowed access.
## </summary>
## </param>
+## <param name="name" optional="true">
+## <summary>
+## The name of the object being created.
+## </summary>
+## </param>
#
interface(`auth_etc_filetrans_shadow',`
gen_require(`
type shadow_t;
')

- files_etc_filetrans($1, shadow_t, file)
+ files_etc_filetrans($1, shadow_t, file, $2)
')

#######################################
Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210130/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)

files_manage_non_auth_files(dpkg_script_t)

+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
auth_manage_shadow(dpkg_script_t)

init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
')

optional_policy(`
+ aptcacher_filetrans_cache_dir(dpkg_script_t)
+ aptcacher_filetrans_conf_dir(dpkg_script_t)
+ aptcacher_filetrans_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
bootloader_run(dpkg_script_t, dpkg_roles)
')

optional_policy(`
+ clamav_filetrans_log(dpkg_script_t)
+')
+
+optional_policy(`
devicekit_dbus_chat_power(dpkg_script_t)
')

@@ -319,6 +330,10 @@ optional_policy(`
')

optional_policy(`
+ milter_filetrans_spamass_state(dpkg_script_t)
+')
+
+optional_policy(`
modutils_run(dpkg_script_t, dpkg_roles)
')

@@ -327,6 +342,11 @@ optional_policy(`
')

optional_policy(`
+ mysql_create_db_dir(dpkg_script_t)
+ mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
nis_use_ypbind(dpkg_script_t)
')

Index: refpolicy-2.20210130/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210130/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system
/var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
/var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)

-/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)

/run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
/run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210130/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210130/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`

########################################
## <summary>
+## create mysqld db dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+ gen_require(`
+ type mysqld_db_t;
+ ')
+
+ files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
## Create, read, write, and delete
## mysqld home files.
## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
')

logging_search_logs($1)
+ allow $1 mysqld_log_t:dir search_dir_perms;
allow $1 mysqld_log_t:file write_file_perms;
')

+########################################
+## <summary>
+## create mysqld log dir.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+ gen_require(`
+ type mysqld_log_t;
+ ')
+
+ logging_search_logs($1)
+ logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
######################################
## <summary>
## Execute mysqld safe in the
Index: refpolicy-2.20210130/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210130/policy/modules/services/clamav.if
@@ -430,3 +430,39 @@ interface(`clamav_admin',`
files_list_tmp($1)
admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
')
+
+########################################
+## <summary>
+## specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_log',`
+ gen_require(`
+ type clamd_var_log_t, freshclam_var_log_t;
+ ')
+
+ filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
+
+########################################
+## <summary>
+## specified domain creates /run/clamav with correct type
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`clamav_filetrans_runtime_dir',`
+ gen_require(`
+ type clamd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
+')
Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210130/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
files_search_runtime($1)
stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
')
+
+########################################
+## <summary>
+## create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_log_dir',`
+ gen_require(`
+ type aptcacher_log_t;
+ ')
+
+ logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_cache_dir',`
+ gen_require(`
+ type aptcacher_cache_t;
+ ')
+
+ files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+## create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`aptcacher_filetrans_conf_dir',`
+ gen_require(`
+ type aptcacher_conf_t;
+ ')
+
+ files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210130/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210130/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`

ftp_run_ftpdctl($1, $2)
')
+
+########################################
+## <summary>
+## create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`ftp_filetrans_pure_ftpd_runtime',`
+ gen_require(`
+ type ftpd_runtime_t;
+ ')
+
+ files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210130/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/init.te
+++ refpolicy-2.20210130/policy/modules/system/init.te
@@ -1094,6 +1094,7 @@ optional_policy(`
')

optional_policy(`
+ clamav_filetrans_runtime_dir(initrc_t)
clamav_read_config(initrc_t)
')

@@ -1287,6 +1288,10 @@ optional_policy(`
')

optional_policy(`
+ ftp_filetrans_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
rpc_read_exports(initrc_t)
')

Index: refpolicy-2.20210130/policy/modules/services/milter.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/milter.if
+++ refpolicy-2.20210130/policy/modules/services/milter.if
@@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state',

########################################
## <summary>
+## create spamass milter state dir
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`milter_filetrans_spamass_state',`
+ gen_require(`
+ type spamass_milter_state_t;
+ ')
+
+ files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
+')
+
+########################################
+## <summary>
## Get the attributes of the spamassissin milter data dir.
## </summary>
## <param name="domain">
Index: refpolicy-2.20210130/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210130/policy/modules/system/unconfined.te
@@ -67,6 +67,7 @@ ifdef(`init_systemd',`

optional_policy(`
systemd_dbus_chat_resolved(unconfined_t)
+ systemd_filetrans_passwd_runtime_dirs(unconfined_t)
')
')

Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210130/policy/modules/roles/sysadm.te
@@ -99,6 +99,7 @@ ifdef(`init_systemd',`
# LookupDynamicUserByUID on org.freedesktop.systemd1.
init_dbus_chat(sysadm_t)

+ systemd_run_passwd_agent(sysadm_t, sysadm_r)
systemd_watch_passwd_runtime_dirs(sysadm_t)
')

Index: refpolicy-2.20210130/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210130/policy/modules/system/systemd.if
@@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds'
allow systemd_passwd_agent_t $1:fd use;
')

+########################################
+## <summary>
+## allow systemd_passwd_agent to be run by admin
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain that runs it
+## </summary>
+## </param>
+## <param name="role">
+## <summary>
+## role that it runs in
+## </summary>
+## </param>
+#
+interface(`systemd_run_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+ allow systemd_passwd_agent_t $1:fd use;
+ role $2 types systemd_passwd_agent_t;
+')
+
#######################################
## <summary>
## Allow a systemd_passwd_agent_t process to interact with a daemon


2021-02-02 14:46:53

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] new version of filetrans patch

On Wednesday, 3 February 2021 12:49:07 AM AEDT Chris PeBenito wrote:
> > Name changes suggested by Dominick and some more additions.
> >
> > Signed-off-by: Russell Coker <[email protected]>
>
> Merged, though I renamed some interfaces and dropped a block that didn't
> apply since it's so close to the merge window closing.

+interface(`systemd_run_passwd_agent',`
+ gen_require(`
+ type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+ ')
+
+ domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
systemd_passwd_agent_t)
+ allow systemd_passwd_agent_t $1:fd use;
+ role $2 types systemd_passwd_agent_t;
+')

Why did you change the above to the below? It needs an auto trans.

interface(`systemd_run_passwd_agent',`
gen_require(`
type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
')

domtrans_pattern($1, systemd_passwd_agent_exec_t,
systemd_passwd_agent_t)
allow systemd_passwd_agent_t $1:fd use;
role $2 types systemd_passwd_agent_t;
')


--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/



2021-02-02 14:54:57

by Russell Coker

[permalink] [raw]
Subject: Re: [PATCH] new version of filetrans patch

On Wednesday, 3 February 2021 12:49:07 AM AEDT Chris PeBenito wrote:
> since it's so close to the merge window closing.

What about all the other patches I had sent?

--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/



2021-02-02 18:33:37

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] new version of filetrans patch

On 2/2/21 9:42 AM, Russell Coker wrote:
> On Wednesday, 3 February 2021 12:49:07 AM AEDT Chris PeBenito wrote:
>>> Name changes suggested by Dominick and some more additions.
>>>
>>> Signed-off-by: Russell Coker <[email protected]>
>>
>> Merged, though I renamed some interfaces and dropped a block that didn't
>> apply since it's so close to the merge window closing.
>
> +interface(`systemd_run_passwd_agent',`
> + gen_require(`
> + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
> + ')
> +
> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t,
> systemd_passwd_agent_t)
> + allow systemd_passwd_agent_t $1:fd use;
> + role $2 types systemd_passwd_agent_t;
> +')
>
> Why did you change the above to the below? It needs an auto trans.
>
> interface(`systemd_run_passwd_agent',`
> gen_require(`
> type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
> ')
>
> domtrans_pattern($1, systemd_passwd_agent_exec_t,
> systemd_passwd_agent_t)
> allow systemd_passwd_agent_t $1:fd use;
> role $2 types systemd_passwd_agent_t;
> ')

domtrans_pattern() is automatic.

--
Chris PeBenito

2021-02-02 19:58:03

by Chris PeBenito

[permalink] [raw]
Subject: Re: [PATCH] new version of filetrans patch

On 1/31/21 11:57 PM, Russell Coker wrote:
> Name changes suggested by Dominick and some more additions.
>
> Signed-off-by: Russell Coker <[email protected]>

Merged, though I renamed some interfaces and dropped a block that didn't apply
since it's so close to the merge window closing.


> Index: refpolicy-2.20210130/policy/modules/system/authlogin.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if
> +++ refpolicy-2.20210130/policy/modules/system/authlogin.if
> @@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
> ## Domain allowed access.
> ## </summary>
> ## </param>
> +## <param name="name" optional="true">
> +## <summary>
> +## The name of the object being created.
> +## </summary>
> +## </param>
> #
> interface(`auth_etc_filetrans_shadow',`
> gen_require(`
> type shadow_t;
> ')
>
> - files_etc_filetrans($1, shadow_t, file)
> + files_etc_filetrans($1, shadow_t, file, $2)
> ')
>
> #######################################
> Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te
> +++ refpolicy-2.20210130/policy/modules/admin/dpkg.te
> @@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
>
> files_manage_non_auth_files(dpkg_script_t)
>
> +auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
> auth_manage_shadow(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> @@ -307,10 +308,20 @@ optional_policy(`
> ')
>
> optional_policy(`
> + aptcacher_filetrans_cache_dir(dpkg_script_t)
> + aptcacher_filetrans_conf_dir(dpkg_script_t)
> + aptcacher_filetrans_log_dir(dpkg_script_t)
> +')
> +
> +optional_policy(`
> bootloader_run(dpkg_script_t, dpkg_roles)
> ')
>
> optional_policy(`
> + clamav_filetrans_log(dpkg_script_t)
> +')
> +
> +optional_policy(`
> devicekit_dbus_chat_power(dpkg_script_t)
> ')
>
> @@ -319,6 +330,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + milter_filetrans_spamass_state(dpkg_script_t)
> +')
> +
> +optional_policy(`
> modutils_run(dpkg_script_t, dpkg_roles)
> ')
>
> @@ -327,6 +342,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + mysql_create_db_dir(dpkg_script_t)
> + mysql_create_log_dir(dpkg_script_t)
> +')
> +
> +optional_policy(`
> nis_use_ypbind(dpkg_script_t)
> ')
>
> Index: refpolicy-2.20210130/policy/modules/services/mysql.fc
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc
> +++ refpolicy-2.20210130/policy/modules/services/mysql.fc
> @@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf -- gen_context(system
> /var/lib/mysql(/.*)? gen_context(system_u:object_r:mysqld_db_t,s0)
> /var/lib/mysql/mysql.* -s gen_context(system_u:object_r:mysqld_runtime_t,s0)
>
> -/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
> -/var/log/mysql.* -- gen_context(system_u:object_r:mysqld_log_t,s0)
> +/var/log/mariadb(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
> +/var/log/mysql(/.*)? gen_context(system_u:object_r:mysqld_log_t,s0)
>
> /run/mysqld.* gen_context(system_u:object_r:mysqld_runtime_t,s0)
> /run/mysqlmanager.* -- gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
> Index: refpolicy-2.20210130/policy/modules/services/mysql.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/mysql.if
> +++ refpolicy-2.20210130/policy/modules/services/mysql.if
> @@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`
>
> ########################################
> ## <summary>
> +## create mysqld db dir.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mysql_create_db_dir',`
> + gen_require(`
> + type mysqld_db_t;
> + ')
> +
> + files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
> +')
> +
> +########################################
> +## <summary>
> ## Create, read, write, and delete
> ## mysqld home files.
> ## </summary>
> @@ -325,9 +343,29 @@ interface(`mysql_write_log',`
> ')
>
> logging_search_logs($1)
> + allow $1 mysqld_log_t:dir search_dir_perms;
> allow $1 mysqld_log_t:file write_file_perms;
> ')
>
> +########################################
> +## <summary>
> +## create mysqld log dir.
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`mysql_create_log_dir',`
> + gen_require(`
> + type mysqld_log_t;
> + ')
> +
> + logging_search_logs($1)
> + logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
> +')
> +
> ######################################
> ## <summary>
> ## Execute mysqld safe in the
> Index: refpolicy-2.20210130/policy/modules/services/clamav.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/clamav.if
> +++ refpolicy-2.20210130/policy/modules/services/clamav.if
> @@ -430,3 +430,39 @@ interface(`clamav_admin',`
> files_list_tmp($1)
> admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
> ')
> +
> +########################################
> +## <summary>
> +## specified domain creates /var/log/clamav/freshclam.log with correct type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_filetrans_log',`
> + gen_require(`
> + type clamd_var_log_t, freshclam_var_log_t;
> + ')
> +
> + filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
> +')
> +
> +########################################
> +## <summary>
> +## specified domain creates /run/clamav with correct type
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`clamav_filetrans_runtime_dir',`
> + gen_require(`
> + type clamd_runtime_t;
> + ')
> +
> + files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
> +')
> Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if
> +++ refpolicy-2.20210130/policy/modules/services/aptcacher.if
> @@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
> files_search_runtime($1)
> stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
> ')
> +
> +########################################
> +## <summary>
> +## create /var/log/apt-cacher-ng
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_filetrans_log_dir',`
> + gen_require(`
> + type aptcacher_log_t;
> + ')
> +
> + logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
> +')
> +
> +########################################
> +## <summary>
> +## create /var/cache/apt-cacher-ng
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_filetrans_cache_dir',`
> + gen_require(`
> + type aptcacher_cache_t;
> + ')
> +
> + files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
> +')
> +
> +########################################
> +## <summary>
> +## create /etc/apt-cacher-ng
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`aptcacher_filetrans_conf_dir',`
> + gen_require(`
> + type aptcacher_conf_t;
> + ')
> +
> + files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
> +')
> Index: refpolicy-2.20210130/policy/modules/services/ftp.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/ftp.if
> +++ refpolicy-2.20210130/policy/modules/services/ftp.if
> @@ -189,3 +189,21 @@ interface(`ftp_admin',`
>
> ftp_run_ftpdctl($1, $2)
> ')
> +
> +########################################
> +## <summary>
> +## create /run/pure-ftpd
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`ftp_filetrans_pure_ftpd_runtime',`
> + gen_require(`
> + type ftpd_runtime_t;
> + ')
> +
> + files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
> +')
> Index: refpolicy-2.20210130/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/system/init.te
> +++ refpolicy-2.20210130/policy/modules/system/init.te
> @@ -1094,6 +1094,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + clamav_filetrans_runtime_dir(initrc_t)
> clamav_read_config(initrc_t)
> ')
>
> @@ -1287,6 +1288,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + ftp_filetrans_pure_ftpd_runtime(initrc_t)
> +')
> +
> +optional_policy(`
> rpc_read_exports(initrc_t)
> ')
>
> Index: refpolicy-2.20210130/policy/modules/services/milter.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/services/milter.if
> +++ refpolicy-2.20210130/policy/modules/services/milter.if
> @@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state',
>
> ########################################
> ## <summary>
> +## create spamass milter state dir
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`milter_filetrans_spamass_state',`
> + gen_require(`
> + type spamass_milter_state_t;
> + ')
> +
> + files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
> +')
> +
> +########################################
> +## <summary>
> ## Get the attributes of the spamassissin milter data dir.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20210130/policy/modules/system/unconfined.te
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te
> +++ refpolicy-2.20210130/policy/modules/system/unconfined.te
> @@ -67,6 +67,7 @@ ifdef(`init_systemd',`
>
> optional_policy(`
> systemd_dbus_chat_resolved(unconfined_t)
> + systemd_filetrans_passwd_runtime_dirs(unconfined_t)
> ')
> ')
>
> Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20210130/policy/modules/roles/sysadm.te
> @@ -99,6 +99,7 @@ ifdef(`init_systemd',`
> # LookupDynamicUserByUID on org.freedesktop.systemd1.
> init_dbus_chat(sysadm_t)
>
> + systemd_run_passwd_agent(sysadm_t, sysadm_r)
> systemd_watch_passwd_runtime_dirs(sysadm_t)
> ')
>
> Index: refpolicy-2.20210130/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20210130.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20210130/policy/modules/system/systemd.if
> @@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds'
> allow systemd_passwd_agent_t $1:fd use;
> ')
>
> +########################################
> +## <summary>
> +## allow systemd_passwd_agent to be run by admin
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain that runs it
> +## </summary>
> +## </param>
> +## <param name="role">
> +## <summary>
> +## role that it runs in
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_run_passwd_agent',`
> + gen_require(`
> + type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
> + ')
> +
> + domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
> + allow systemd_passwd_agent_t $1:fd use;
> + role $2 types systemd_passwd_agent_t;
> +')
> +
> #######################################
> ## <summary>
> ## Allow a systemd_passwd_agent_t process to interact with a daemon
>


--
Chris PeBenito