This patch has policy changes related to systemd and the systemd versions
of system programs.
Also has some dbus policy which probably isn't strictly a systemd thing, but it
all came at the same time.
Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
+++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
@@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
#
allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
+# systemctl asks for net_admin
+dontaudit logrotate_t self:capability net_admin;
allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
allow logrotate_t self:fd use;
allow logrotate_t self:key manage_key_perms;
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -378,6 +378,10 @@ optional_policy(`
')
optional_policy(`
+ init_dbus_chat(crond_t)
+ ')
+
+ optional_policy(`
unconfined_dbus_send(crond_t)
')
')
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)
domain_use_interactive_fds(NetworkManager_t)
domain_read_all_domains_state(NetworkManager_t)
+# /etc/resolv.conf is a symlink written by NM
+files_manage_etc_symlinks(NetworkManager_t)
files_read_etc_runtime_files(NetworkManager_t)
files_read_usr_files(NetworkManager_t)
files_read_usr_src_files(NetworkManager_t)
@@ -346,6 +348,7 @@ optional_policy(`
')
optional_policy(`
+ systemd_read_logind_pids(NetworkManager_t)
systemd_read_logind_sessions_files(NetworkManager_t)
systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
')
Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
+++ refpolicy-2.20180701/policy/modules/services/ntp.fc
@@ -13,6 +13,7 @@
/etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
/run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
+/run/systemd/timesync(/.*)? gen_context(system_u:object_r:ntpd_pid_t,s0)
/usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
/usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
@@ -31,6 +32,7 @@
/var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
+/var/lib/private/systemd/timesync(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0)
/var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
+++ refpolicy-2.20180701/policy/modules/services/openvpn.te
@@ -175,3 +175,7 @@ optional_policy(`
networkmanager_dbus_chat(openvpn_t)
')
')
+
+optional_policy(`
+ systemd_use_passwd_agent(openvpn_t)
+')
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -347,6 +347,12 @@ optional_policy(`
')
optional_policy(`
+ dbus_send_system_bus(postfix_master_t)
+ dbus_system_bus_client(postfix_master_t)
+ init_dbus_chat(postfix_master_t)
+')
+
+optional_policy(`
sendmail_signal(postfix_master_t)
')
@@ -376,6 +382,10 @@ optional_policy(`
init_dbus_chat(postfix_bounce_t)
')
+optional_policy(`
+ dbus_system_bus_client(postfix_bounce_t)
+')
+
########################################
#
# Cleanup local policy
@@ -420,6 +430,12 @@ optional_policy(`
mailman_read_data_files(postfix_cleanup_t)
')
+optional_policy(`
+ dbus_send_system_bus(postfix_cleanup_t)
+ dbus_system_bus_client(postfix_cleanup_t)
+ init_dbus_chat(postfix_cleanup_t)
+')
+
########################################
#
# Local local policy
@@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p
mcs_file_read_all(postfix_pickup_t)
mcs_file_write_all(postfix_pickup_t)
+optional_policy(`
+ dbus_system_bus_client(postfix_pickup_t)
+ init_dbus_chat(postfix_pickup_t)
+')
+
########################################
#
# Pipe local policy
@@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po
corecmd_exec_bin(postfix_qmgr_t)
+optional_policy(`
+ dbus_send_system_bus(postfix_qmgr_t)
+ dbus_system_bus_client(postfix_qmgr_t)
+ init_dbus_chat(postfix_qmgr_t)
+')
+
########################################
#
# Showq local policy
@@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
mta_map_aliases(postfix_smtpd_t)
optional_policy(`
+ dbus_send_system_bus(postfix_smtp_t)
+ dbus_system_bus_client(postfix_smtp_t)
+ init_dbus_chat(postfix_smtp_t)
+')
+
+optional_policy(`
dovecot_stream_connect_auth(postfix_smtpd_t)
dovecot_stream_connect(postfix_smtpd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -278,6 +278,7 @@ ifdef(`distro_debian',`
')
ifdef(`init_systemd',`
+ init_dbus_chat(sshd_t)
systemd_dbus_chat_logind(sshd_t)
init_rw_stream_sockets(sshd_t)
')
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
files_read_usr_files(tor_t)
fs_search_tmpfs(tor_t)
+# for log symlink on a tmpfs filesystem systemd creates for it
+fs_read_tmpfs_symlinks(tor_t)
auth_use_nsswitch(tor_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
+++ refpolicy-2.20180701/policy/modules/system/systemd.fc
@@ -50,6 +50,8 @@
/run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
+/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
+/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
/run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
/run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
/run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys
type systemd_nspawn_t;
type systemd_nspawn_exec_t;
init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
+mcs_killall(systemd_nspawn_t)
type systemd_nspawn_var_run_t;
files_pid_file(systemd_nspawn_var_run_t)
@@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste
#
dev_read_sysfs(systemd_gpt_generator_t)
+files_list_usr(systemd_gpt_generator_t)
files_read_etc_files(systemd_gpt_generator_t)
fs_getattr_xattr_fs(systemd_gpt_generator_t)
storage_raw_read_fixed_disk(systemd_gpt_generator_t)
@@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars
# Logind local policy
#
-allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
+allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
allow systemd_logind_t self:process { getcap setfscreate };
allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
@@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti
# Nspawn local policy
#
-allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
-allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
+allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
+allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
allow systemd_nspawn_t self:capability2 wake_alarm;
allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
@@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va
allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
-files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
+files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
+# for /tmp/.#inaccessible*
+allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
# for /run/systemd/nspawn/incoming in chroot
allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
@@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
files_mounton_mnt(systemd_nspawn_t)
files_mounton_root(systemd_nspawn_t)
files_mounton_tmp(systemd_nspawn_t)
+files_read_kernel_symbol_table(systemd_nspawn_t)
files_setattr_pid_dirs(systemd_nspawn_t)
fs_getattr_tmpfs(systemd_nspawn_t)
@@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)
userdom_manage_user_home_dirs(systemd_nspawn_t)
tunable_policy(`systemd_nspawn_labeled_namespace',`
+ corecmd_exec_bin(systemd_nspawn_t)
corecmd_exec_shell(systemd_nspawn_t)
dev_mounton(systemd_nspawn_t)
@@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n
fs_write_cgroup_files(systemd_nspawn_t)
selinux_getattr_fs(systemd_nspawn_t)
+ selinux_remount_fs(systemd_nspawn_t)
selinux_search_fs(systemd_nspawn_t)
init_domtrans(systemd_nspawn_t)
@@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass
seutil_search_default_contexts(systemd_passwd_agent_t)
+userdom_use_user_ttys(systemd_passwd_agent_t)
userdom_use_user_ptys(systemd_passwd_agent_t)
optional_policy(`
@@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se
# Tmpfiles local policy
#
-allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
+allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
allow systemd_tmpfiles_t self:process { setfscreate getcap };
allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
@@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal
allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
+kernel_getattr_proc(systemd_tmpfiles_t)
kernel_read_kernel_sysctls(systemd_tmpfiles_t)
kernel_read_network_state(systemd_tmpfiles_t)
+dev_getattr_fs(systemd_tmpfiles_t)
dev_manage_all_dev_nodes(systemd_tmpfiles_t)
dev_read_urand(systemd_tmpfiles_t)
dev_relabel_all_sysfs(systemd_tmpfiles_t)
@@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t
files_manage_var_lib_dirs(systemd_tmpfiles_t)
files_purge_tmp(systemd_tmpfiles_t)
files_read_etc_files(systemd_tmpfiles_t)
+files_read_etc_runtime_files(systemd_tmpfiles_t)
files_relabel_all_lock_dirs(systemd_tmpfiles_t)
files_relabel_all_pid_dirs(systemd_tmpfiles_t)
files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
On 1/4/19 2:54 AM, Russell Coker wrote:
> This patch has policy changes related to systemd and the systemd versions
> of system programs.
>
> Also has some dbus policy which probably isn't strictly a systemd thing, but it
> all came at the same time.
Is all the postfix dbus usage due to a postfix change or something else?
I want to look for a pattern if this is not due to postfix code changes.
I don't think I have any issues with anything else in the patch, but
will wait for the above answer to try to merge in one shot.
> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
> #
>
> allow logrotate_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid sys_nice sys_resource };
> +# systemctl asks for net_admin
> +dontaudit logrotate_t self:capability net_admin;
> allow logrotate_t self:process { transition signal_perms getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh setrlimit rlimitinh dyntransition setkeycreate setsockcreate getrlimit };
> allow logrotate_t self:fd use;
> allow logrotate_t self:key manage_key_perms;
> Index: refpolicy-2.20180701/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20180701/policy/modules/services/cron.te
> @@ -378,6 +378,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + init_dbus_chat(crond_t)
> + ')
> +
> + optional_policy(`
> unconfined_dbus_send(crond_t)
> ')
> ')
> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)
> domain_use_interactive_fds(NetworkManager_t)
> domain_read_all_domains_state(NetworkManager_t)
>
> +# /etc/resolv.conf is a symlink written by NM
> +files_manage_etc_symlinks(NetworkManager_t)
> files_read_etc_runtime_files(NetworkManager_t)
> files_read_usr_files(NetworkManager_t)
> files_read_usr_src_files(NetworkManager_t)
> @@ -346,6 +348,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_read_logind_pids(NetworkManager_t)
> systemd_read_logind_sessions_files(NetworkManager_t)
> systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
> +++ refpolicy-2.20180701/policy/modules/services/ntp.fc
> @@ -13,6 +13,7 @@
> /etc/rc\.d/init\.d/ntpd? -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
>
> /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
> +/run/systemd/timesync(/.*)? gen_context(system_u:object_r:ntpd_pid_t,s0)
>
> /usr/bin/ntpd -- gen_context(system_u:object_r:ntpd_exec_t,s0)
> /usr/bin/ntpdate -- gen_context(system_u:object_r:ntpdate_exec_t,s0)
> @@ -31,6 +32,7 @@
> /var/lib/ntp(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/sntp-kod(/.*)? gen_context(system_u:object_r:ntp_drift_t,s0)
> /var/lib/systemd/clock -- gen_context(system_u:object_r:ntp_drift_t,s0)
> +/var/lib/private/systemd/timesync(/.*)? -- gen_context(system_u:object_r:ntp_drift_t,s0)
>
> /var/lock/ntpdate -- gen_context(system_u:object_r:ntpd_lock_t,s0)
>
> Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
> +++ refpolicy-2.20180701/policy/modules/services/openvpn.te
> @@ -175,3 +175,7 @@ optional_policy(`
> networkmanager_dbus_chat(openvpn_t)
> ')
> ')
> +
> +optional_policy(`
> + systemd_use_passwd_agent(openvpn_t)
> +')
> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> @@ -347,6 +347,12 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dbus_send_system_bus(postfix_master_t)
> + dbus_system_bus_client(postfix_master_t)
> + init_dbus_chat(postfix_master_t)
> +')
> +
> +optional_policy(`
> sendmail_signal(postfix_master_t)
> ')
>
> @@ -376,6 +382,10 @@ optional_policy(`
> init_dbus_chat(postfix_bounce_t)
> ')
>
> +optional_policy(`
> + dbus_system_bus_client(postfix_bounce_t)
> +')
> +
> ########################################
> #
> # Cleanup local policy
> @@ -420,6 +430,12 @@ optional_policy(`
> mailman_read_data_files(postfix_cleanup_t)
> ')
>
> +optional_policy(`
> + dbus_send_system_bus(postfix_cleanup_t)
> + dbus_system_bus_client(postfix_cleanup_t)
> + init_dbus_chat(postfix_cleanup_t)
> +')
> +
> ########################################
> #
> # Local local policy
> @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p
> mcs_file_read_all(postfix_pickup_t)
> mcs_file_write_all(postfix_pickup_t)
>
> +optional_policy(`
> + dbus_system_bus_client(postfix_pickup_t)
> + init_dbus_chat(postfix_pickup_t)
> +')
> +
> ########################################
> #
> # Pipe local policy
> @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po
>
> corecmd_exec_bin(postfix_qmgr_t)
>
> +optional_policy(`
> + dbus_send_system_bus(postfix_qmgr_t)
> + dbus_system_bus_client(postfix_qmgr_t)
> + init_dbus_chat(postfix_qmgr_t)
> +')
> +
> ########################################
> #
> # Showq local policy
> @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
> mta_map_aliases(postfix_smtpd_t)
>
> optional_policy(`
> + dbus_send_system_bus(postfix_smtp_t)
> + dbus_system_bus_client(postfix_smtp_t)
> + init_dbus_chat(postfix_smtp_t)
> +')
> +
> +optional_policy(`
> dovecot_stream_connect_auth(postfix_smtpd_t)
> dovecot_stream_connect(postfix_smtpd_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> @@ -278,6 +278,7 @@ ifdef(`distro_debian',`
> ')
>
> ifdef(`init_systemd',`
> + init_dbus_chat(sshd_t)
> systemd_dbus_chat_logind(sshd_t)
> init_rw_stream_sockets(sshd_t)
> ')
> Index: refpolicy-2.20180701/policy/modules/services/tor.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> +++ refpolicy-2.20180701/policy/modules/services/tor.te
> @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
> files_read_usr_files(tor_t)
>
> fs_search_tmpfs(tor_t)
> +# for log symlink on a tmpfs filesystem systemd creates for it
> +fs_read_tmpfs_symlinks(tor_t)
>
> auth_use_nsswitch(tor_t)
>
> Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
> +++ refpolicy-2.20180701/policy/modules/system/systemd.fc
> @@ -50,6 +50,8 @@
> /run/\.nologin[^/]* -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
>
> +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
> +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:systemd_passwd_var_run_t,s0)
> /run/systemd/resolve(/.*)? gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
> /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessions_var_run_t,s0)
> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys
> type systemd_nspawn_t;
> type systemd_nspawn_exec_t;
> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
> +mcs_killall(systemd_nspawn_t)
>
> type systemd_nspawn_var_run_t;
> files_pid_file(systemd_nspawn_var_run_t)
> @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste
> #
>
> dev_read_sysfs(systemd_gpt_generator_t)
> +files_list_usr(systemd_gpt_generator_t)
> files_read_etc_files(systemd_gpt_generator_t)
> fs_getattr_xattr_fs(systemd_gpt_generator_t)
> storage_raw_read_fixed_disk(systemd_gpt_generator_t)
> @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars
> # Logind local policy
> #
>
> -allow systemd_logind_t self:capability { chown dac_override fowner sys_admin sys_tty_config };
> +allow systemd_logind_t self:capability { chown dac_override dac_read_search fowner sys_admin sys_tty_config };
> allow systemd_logind_t self:process { getcap setfscreate };
> allow systemd_logind_t self:netlink_kobject_uevent_socket create_socket_perms;
> allow systemd_logind_t self:unix_dgram_socket create_socket_perms;
> @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti
> # Nspawn local policy
> #
>
> -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill };
> -allow systemd_nspawn_t self:capability { dac_override fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
> +allow systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit sigkill };
> +allow systemd_nspawn_t self:capability { dac_override dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin sys_chroot };
> allow systemd_nspawn_t self:capability2 wake_alarm;
> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
>
> @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va
> allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>
> -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
> +# for /tmp/.#inaccessible*
> +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
>
> # for /run/systemd/nspawn/incoming in chroot
> allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
> @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
> files_mounton_mnt(systemd_nspawn_t)
> files_mounton_root(systemd_nspawn_t)
> files_mounton_tmp(systemd_nspawn_t)
> +files_read_kernel_symbol_table(systemd_nspawn_t)
> files_setattr_pid_dirs(systemd_nspawn_t)
>
> fs_getattr_tmpfs(systemd_nspawn_t)
> @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)
> userdom_manage_user_home_dirs(systemd_nspawn_t)
>
> tunable_policy(`systemd_nspawn_labeled_namespace',`
> + corecmd_exec_bin(systemd_nspawn_t)
> corecmd_exec_shell(systemd_nspawn_t)
>
> dev_mounton(systemd_nspawn_t)
> @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n
> fs_write_cgroup_files(systemd_nspawn_t)
>
> selinux_getattr_fs(systemd_nspawn_t)
> + selinux_remount_fs(systemd_nspawn_t)
> selinux_search_fs(systemd_nspawn_t)
>
> init_domtrans(systemd_nspawn_t)
> @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass
>
> seutil_search_default_contexts(systemd_passwd_agent_t)
>
> +userdom_use_user_ttys(systemd_passwd_agent_t)
> userdom_use_user_ptys(systemd_passwd_agent_t)
>
> optional_policy(`
> @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se
> # Tmpfiles local policy
> #
>
> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner fsetid mknod net_admin sys_admin };
> +allow systemd_tmpfiles_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin sys_admin };
> allow systemd_tmpfiles_t self:process { setfscreate getcap };
>
> allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom relabelto manage_dir_perms };
> @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms;
>
> +kernel_getattr_proc(systemd_tmpfiles_t)
> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> kernel_read_network_state(systemd_tmpfiles_t)
>
> +dev_getattr_fs(systemd_tmpfiles_t)
> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> dev_read_urand(systemd_tmpfiles_t)
> dev_relabel_all_sysfs(systemd_tmpfiles_t)
> @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t
> files_manage_var_lib_dirs(systemd_tmpfiles_t)
> files_purge_tmp(systemd_tmpfiles_t)
> files_read_etc_files(systemd_tmpfiles_t)
> +files_read_etc_runtime_files(systemd_tmpfiles_t)
> files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
--
Chris PeBenito
I'm not sure. If this is a problem then skip the Postfix bit and merge the
rest, I can investigate Postfix more later.
On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote:
> On 1/4/19 2:54 AM, Russell Coker wrote:
> > This patch has policy changes related to systemd and the systemd versions
> > of system programs.
> >
> > Also has some dbus policy which probably isn't strictly a systemd thing,
> > but it all came at the same time.
>
> Is all the postfix dbus usage due to a postfix change or something else?
> I want to look for a pattern if this is not due to postfix code changes.
>
> I don't think I have any issues with anything else in the patch, but
> will wait for the above answer to try to merge in one shot.
>
> > Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
> > +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
> > @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
> >
> > #
> >
> > allow logrotate_t self:capability { chown dac_override dac_read_search
> > fowner fsetid kill setgid setuid sys_nice sys_resource };>
> > +# systemctl asks for net_admin
> > +dontaudit logrotate_t self:capability net_admin;
> >
> > allow logrotate_t self:process { transition signal_perms getsched
> > setsched getsession getpgid setpgid getcap setcap share getattr
> > setfscreate noatsecure siginh setrlimit rlimitinh dyntransition
> > setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use;
> > allow logrotate_t self:key manage_key_perms;
> >
> > Index: refpolicy-2.20180701/policy/modules/services/cron.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
> > +++ refpolicy-2.20180701/policy/modules/services/cron.te
> > @@ -378,6 +378,10 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + init_dbus_chat(crond_t)
> > + ')
> > +
> > + optional_policy(`
> >
> > unconfined_dbus_send(crond_t)
> >
> > ')
> >
> > ')
> >
> > Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
> > +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
> > @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)
> >
> > domain_use_interactive_fds(NetworkManager_t)
> > domain_read_all_domains_state(NetworkManager_t)
> >
> > +# /etc/resolv.conf is a symlink written by NM
> > +files_manage_etc_symlinks(NetworkManager_t)
> >
> > files_read_etc_runtime_files(NetworkManager_t)
> > files_read_usr_files(NetworkManager_t)
> > files_read_usr_src_files(NetworkManager_t)
> >
> > @@ -346,6 +348,7 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + systemd_read_logind_pids(NetworkManager_t)
> >
> > systemd_read_logind_sessions_files(NetworkManager_t)
> > systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
> >
> > ')
> >
> > Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
> > +++ refpolicy-2.20180701/policy/modules/services/ntp.fc
> > @@ -13,6 +13,7 @@
> >
> > /etc/rc\.d/init\.d/ntpd?
> > -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
> >
> > /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
> >
> > +/run/systemd/timesync(/.*)?
gen_context(system_u:object_r:ntpd_pid_t,s0
> > )
> >
> > /usr/bin/ntpd --
gen_context(system_u:object_r:ntpd_exec_t,s0)
> > /usr/bin/ntpdate --
gen_context(system_u:object_r:ntpdate_exec_t,s0)
> >
> > @@ -31,6 +32,7 @@
> >
> > /var/lib/ntp(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
> > /var/lib/sntp-kod(/.*)?
gen_context(system_u:object_r:ntp_drift_t,s0)
> > /var/lib/systemd/clock --
gen_context(system_u:object_r:ntp_drift_t,s0
> > )
> >
> > +/var/lib/private/systemd/timesync(/.*)?
> > -- gen_context(system_u:object_r:ntp_drift_t,s0)>
> > /var/lock/ntpdate --
> > gen_context(system_u:object_r:ntpd_lock_t,s0)>
> > Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
> > +++ refpolicy-2.20180701/policy/modules/services/openvpn.te
> > @@ -175,3 +175,7 @@ optional_policy(`
> >
> > networkmanager_dbus_chat(openvpn_t)
> >
> > ')
> >
> > ')
> >
> > +
> > +optional_policy(`
> > + systemd_use_passwd_agent(openvpn_t)
> > +')
> > Index: refpolicy-2.20180701/policy/modules/services/postfix.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
> > +++ refpolicy-2.20180701/policy/modules/services/postfix.te
> > @@ -347,6 +347,12 @@ optional_policy(`
> >
> > ')
> >
> > optional_policy(`
> >
> > + dbus_send_system_bus(postfix_master_t)
> > + dbus_system_bus_client(postfix_master_t)
> > + init_dbus_chat(postfix_master_t)
> > +')
> > +
> > +optional_policy(`
> >
> > sendmail_signal(postfix_master_t)
> >
> > ')
> >
> > @@ -376,6 +382,10 @@ optional_policy(`
> >
> > init_dbus_chat(postfix_bounce_t)
> >
> > ')
> >
> > +optional_policy(`
> > + dbus_system_bus_client(postfix_bounce_t)
> > +')
> > +
> >
> > ########################################
> > #
> > # Cleanup local policy
> >
> > @@ -420,6 +430,12 @@ optional_policy(`
> >
> > mailman_read_data_files(postfix_cleanup_t)
> >
> > ')
> >
> > +optional_policy(`
> > + dbus_send_system_bus(postfix_cleanup_t)
> > + dbus_system_bus_client(postfix_cleanup_t)
> > + init_dbus_chat(postfix_cleanup_t)
> > +')
> > +
> >
> > ########################################
> > #
> > # Local local policy
> >
> > @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p
> >
> > mcs_file_read_all(postfix_pickup_t)
> > mcs_file_write_all(postfix_pickup_t)
> >
> > +optional_policy(`
> > + dbus_system_bus_client(postfix_pickup_t)
> > + init_dbus_chat(postfix_pickup_t)
> > +')
> > +
> >
> > ########################################
> > #
> > # Pipe local policy
> >
> > @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po
> >
> > corecmd_exec_bin(postfix_qmgr_t)
> >
> > +optional_policy(`
> > + dbus_send_system_bus(postfix_qmgr_t)
> > + dbus_system_bus_client(postfix_qmgr_t)
> > + init_dbus_chat(postfix_qmgr_t)
> > +')
> > +
> >
> > ########################################
> > #
> > # Showq local policy
> >
> > @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
> >
> > mta_map_aliases(postfix_smtpd_t)
> >
> > optional_policy(`
> >
> > + dbus_send_system_bus(postfix_smtp_t)
> > + dbus_system_bus_client(postfix_smtp_t)
> > + init_dbus_chat(postfix_smtp_t)
> > +')
> > +
> > +optional_policy(`
> >
> > dovecot_stream_connect_auth(postfix_smtpd_t)
> > dovecot_stream_connect(postfix_smtpd_t)
> >
> > ')
> >
> > Index: refpolicy-2.20180701/policy/modules/services/ssh.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
> > +++ refpolicy-2.20180701/policy/modules/services/ssh.te
> > @@ -278,6 +278,7 @@ ifdef(`distro_debian',`
> >
> > ')
> >
> > ifdef(`init_systemd',`
> >
> > + init_dbus_chat(sshd_t)
> >
> > systemd_dbus_chat_logind(sshd_t)
> > init_rw_stream_sockets(sshd_t)
> >
> > ')
> >
> > Index: refpolicy-2.20180701/policy/modules/services/tor.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
> > +++ refpolicy-2.20180701/policy/modules/services/tor.te
> > @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
> >
> > files_read_usr_files(tor_t)
> >
> > fs_search_tmpfs(tor_t)
> >
> > +# for log symlink on a tmpfs filesystem systemd creates for it
> > +fs_read_tmpfs_symlinks(tor_t)
> >
> > auth_use_nsswitch(tor_t)
> >
> > Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
> > +++ refpolicy-2.20180701/policy/modules/system/systemd.fc
> > @@ -50,6 +50,8 @@
> >
> > /run/\.nologin[^/]* --
gen_context(system_u:object_r:systemd_sessions_va
> > r_run_t,s0)
> > /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_
> > t,s0)>
> > +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_pas
> > swd_var_run_t,s0)
> > +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:syst
> > emd_passwd_var_run_t,s0)>
> > /run/systemd/resolve(/.*)?
> > gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
> > /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions
> > _var_run_t,s0)
> > /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessi
> > ons_var_run_t,s0)>
> > Index: refpolicy-2.20180701/policy/modules/system/systemd.te
> > ===================================================================
> > --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
> > +++ refpolicy-2.20180701/policy/modules/system/systemd.te
> > @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys
> >
> > type systemd_nspawn_t;
> > type systemd_nspawn_exec_t;
> > init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
> >
> > +mcs_killall(systemd_nspawn_t)
> >
> > type systemd_nspawn_var_run_t;
> > files_pid_file(systemd_nspawn_var_run_t)
> >
> > @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste
> >
> > #
> >
> > dev_read_sysfs(systemd_gpt_generator_t)
> >
> > +files_list_usr(systemd_gpt_generator_t)
> >
> > files_read_etc_files(systemd_gpt_generator_t)
> > fs_getattr_xattr_fs(systemd_gpt_generator_t)
> > storage_raw_read_fixed_disk(systemd_gpt_generator_t)
> >
> > @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars
> >
> > # Logind local policy
> > #
> >
> > -allow systemd_logind_t self:capability { chown dac_override fowner
> > sys_admin sys_tty_config }; +allow systemd_logind_t self:capability {
> > chown dac_override dac_read_search fowner sys_admin sys_tty_config };>
> > allow systemd_logind_t self:process { getcap setfscreate };
> > allow systemd_logind_t self:netlink_kobject_uevent_socket
> > create_socket_perms; allow systemd_logind_t self:unix_dgram_socket
> > create_socket_perms;>
> > @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti
> >
> > # Nspawn local policy
> > #
> >
> > -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill
> > };
> > -allow systemd_nspawn_t self:capability { dac_override fsetid mknod
> > net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow
> > systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit
> > sigkill }; +allow systemd_nspawn_t self:capability { dac_override
> > dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin
> > sys_chroot };>
> > allow systemd_nspawn_t self:capability2 wake_alarm;
> > allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
> >
> > @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va
> >
> > allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
> > init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
> >
> > -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
> > +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
> >
> > allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
> > allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
> >
> > +# for /tmp/.#inaccessible*
> > +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
> >
> > # for /run/systemd/nspawn/incoming in chroot
> > allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
> >
> > @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
> >
> > files_mounton_mnt(systemd_nspawn_t)
> > files_mounton_root(systemd_nspawn_t)
> > files_mounton_tmp(systemd_nspawn_t)
> >
> > +files_read_kernel_symbol_table(systemd_nspawn_t)
> >
> > files_setattr_pid_dirs(systemd_nspawn_t)
> >
> > fs_getattr_tmpfs(systemd_nspawn_t)
> >
> > @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)
> >
> > userdom_manage_user_home_dirs(systemd_nspawn_t)
> >
> > tunable_policy(`systemd_nspawn_labeled_namespace',`
> >
> > + corecmd_exec_bin(systemd_nspawn_t)
> >
> > corecmd_exec_shell(systemd_nspawn_t)
> >
> > dev_mounton(systemd_nspawn_t)
> >
> > @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n
> >
> > fs_write_cgroup_files(systemd_nspawn_t)
> >
> > selinux_getattr_fs(systemd_nspawn_t)
> >
> > + selinux_remount_fs(systemd_nspawn_t)
> >
> > selinux_search_fs(systemd_nspawn_t)
> >
> > init_domtrans(systemd_nspawn_t)
> >
> > @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass
> >
> > seutil_search_default_contexts(systemd_passwd_agent_t)
> >
> > +userdom_use_user_ttys(systemd_passwd_agent_t)
> >
> > userdom_use_user_ptys(systemd_passwd_agent_t)
> >
> > optional_policy(`
> >
> > @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se
> >
> > # Tmpfiles local policy
> > #
> >
> > -allow systemd_tmpfiles_t self:capability { chown dac_override fowner
> > fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t
> > self:capability { chown dac_override dac_read_search fowner fsetid mknod
> > net_admin sys_admin };>
> > allow systemd_tmpfiles_t self:process { setfscreate getcap };
> >
> > allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
> > relabelto manage_dir_perms };>
> > @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal
> >
> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
> > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
> > read_file_perms;
> >
> > +kernel_getattr_proc(systemd_tmpfiles_t)
> >
> > kernel_read_kernel_sysctls(systemd_tmpfiles_t)
> > kernel_read_network_state(systemd_tmpfiles_t)
> >
> > +dev_getattr_fs(systemd_tmpfiles_t)
> >
> > dev_manage_all_dev_nodes(systemd_tmpfiles_t)
> > dev_read_urand(systemd_tmpfiles_t)
> > dev_relabel_all_sysfs(systemd_tmpfiles_t)
> >
> > @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t
> >
> > files_manage_var_lib_dirs(systemd_tmpfiles_t)
> > files_purge_tmp(systemd_tmpfiles_t)
> > files_read_etc_files(systemd_tmpfiles_t)
> >
> > +files_read_etc_runtime_files(systemd_tmpfiles_t)
> >
> > files_relabel_all_lock_dirs(systemd_tmpfiles_t)
> > files_relabel_all_pid_dirs(systemd_tmpfiles_t)
> > files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
--
My Main Blog http://etbe.coker.com.au/
My Documents Blog http://doc.coker.com.au/
On 1/5/19 9:34 PM, Russell Coker wrote:
> I'm not sure. If this is a problem then skip the Postfix bit and merge the
> rest, I can investigate Postfix more later.
I've merged this, though I'd still prefer to hear more about the Postfix
change, if possible.
> On Sunday, 6 January 2019 6:29:11 AM AEDT Chris PeBenito wrote:
>> On 1/4/19 2:54 AM, Russell Coker wrote:
>>> This patch has policy changes related to systemd and the systemd versions
>>> of system programs.
>>>
>>> Also has some dbus policy which probably isn't strictly a systemd thing,
>>> but it all came at the same time.
>>
>> Is all the postfix dbus usage due to a postfix change or something else?
>> I want to look for a pattern if this is not due to postfix code changes.
>>
>> I don't think I have any issues with anything else in the patch, but
>> will wait for the above answer to try to merge in one shot.
>>
>>> Index: refpolicy-2.20180701/policy/modules/admin/logrotate.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/admin/logrotate.te
>>> +++ refpolicy-2.20180701/policy/modules/admin/logrotate.te
>>> @@ -38,6 +38,8 @@ role system_r types logrotate_mail_t;
>>>
>>> #
>>>
>>> allow logrotate_t self:capability { chown dac_override dac_read_search
>>> fowner fsetid kill setgid setuid sys_nice sys_resource };>
>>> +# systemctl asks for net_admin
>>> +dontaudit logrotate_t self:capability net_admin;
>>>
>>> allow logrotate_t self:process { transition signal_perms getsched
>>> setsched getsession getpgid setpgid getcap setcap share getattr
>>> setfscreate noatsecure siginh setrlimit rlimitinh dyntransition
>>> setkeycreate setsockcreate getrlimit }; allow logrotate_t self:fd use;
>>> allow logrotate_t self:key manage_key_perms;
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/cron.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/cron.te
>>> +++ refpolicy-2.20180701/policy/modules/services/cron.te
>>> @@ -378,6 +378,10 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + init_dbus_chat(crond_t)
>>> + ')
>>> +
>>> + optional_policy(`
>>>
>>> unconfined_dbus_send(crond_t)
>>>
>>> ')
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
>>> +++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
>>> @@ -138,6 +138,8 @@ dev_rw_wireless(NetworkManager_t)
>>>
>>> domain_use_interactive_fds(NetworkManager_t)
>>> domain_read_all_domains_state(NetworkManager_t)
>>>
>>> +# /etc/resolv.conf is a symlink written by NM
>>> +files_manage_etc_symlinks(NetworkManager_t)
>>>
>>> files_read_etc_runtime_files(NetworkManager_t)
>>> files_read_usr_files(NetworkManager_t)
>>> files_read_usr_src_files(NetworkManager_t)
>>>
>>> @@ -346,6 +348,7 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + systemd_read_logind_pids(NetworkManager_t)
>>>
>>> systemd_read_logind_sessions_files(NetworkManager_t)
>>> systemd_write_inherited_logind_inhibit_pipes(NetworkManager_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/ntp.fc
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/ntp.fc
>>> +++ refpolicy-2.20180701/policy/modules/services/ntp.fc
>>> @@ -13,6 +13,7 @@
>>>
>>> /etc/rc\.d/init\.d/ntpd?
>>> -- gen_context(system_u:object_r:ntpd_initrc_exec_t,s0)
>>>
>>> /run/ntpd\.pid -- gen_context(system_u:object_r:ntpd_pid_t,s0)
>>>
>>> +/run/systemd/timesync(/.*)?
> gen_context(system_u:object_r:ntpd_pid_t,s0
>>> )
>>>
>>> /usr/bin/ntpd --
> gen_context(system_u:object_r:ntpd_exec_t,s0)
>>> /usr/bin/ntpdate --
> gen_context(system_u:object_r:ntpdate_exec_t,s0)
>>>
>>> @@ -31,6 +32,7 @@
>>>
>>> /var/lib/ntp(/.*)?
> gen_context(system_u:object_r:ntp_drift_t,s0)
>>> /var/lib/sntp-kod(/.*)?
> gen_context(system_u:object_r:ntp_drift_t,s0)
>>> /var/lib/systemd/clock --
> gen_context(system_u:object_r:ntp_drift_t,s0
>>> )
>>>
>>> +/var/lib/private/systemd/timesync(/.*)?
>>> -- gen_context(system_u:object_r:ntp_drift_t,s0)>
>>> /var/lock/ntpdate --
>>> gen_context(system_u:object_r:ntpd_lock_t,s0)>
>>> Index: refpolicy-2.20180701/policy/modules/services/openvpn.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/openvpn.te
>>> +++ refpolicy-2.20180701/policy/modules/services/openvpn.te
>>> @@ -175,3 +175,7 @@ optional_policy(`
>>>
>>> networkmanager_dbus_chat(openvpn_t)
>>>
>>> ')
>>>
>>> ')
>>>
>>> +
>>> +optional_policy(`
>>> + systemd_use_passwd_agent(openvpn_t)
>>> +')
>>> Index: refpolicy-2.20180701/policy/modules/services/postfix.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
>>> +++ refpolicy-2.20180701/policy/modules/services/postfix.te
>>> @@ -347,6 +347,12 @@ optional_policy(`
>>>
>>> ')
>>>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(postfix_master_t)
>>> + dbus_system_bus_client(postfix_master_t)
>>> + init_dbus_chat(postfix_master_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>
>>> sendmail_signal(postfix_master_t)
>>>
>>> ')
>>>
>>> @@ -376,6 +382,10 @@ optional_policy(`
>>>
>>> init_dbus_chat(postfix_bounce_t)
>>>
>>> ')
>>>
>>> +optional_policy(`
>>> + dbus_system_bus_client(postfix_bounce_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Cleanup local policy
>>>
>>> @@ -420,6 +430,12 @@ optional_policy(`
>>>
>>> mailman_read_data_files(postfix_cleanup_t)
>>>
>>> ')
>>>
>>> +optional_policy(`
>>> + dbus_send_system_bus(postfix_cleanup_t)
>>> + dbus_system_bus_client(postfix_cleanup_t)
>>> + init_dbus_chat(postfix_cleanup_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Local local policy
>>>
>>> @@ -561,6 +577,11 @@ delete_files_pattern(postfix_pickup_t, p
>>>
>>> mcs_file_read_all(postfix_pickup_t)
>>> mcs_file_write_all(postfix_pickup_t)
>>>
>>> +optional_policy(`
>>> + dbus_system_bus_client(postfix_pickup_t)
>>> + init_dbus_chat(postfix_pickup_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Pipe local policy
>>>
>>> @@ -708,6 +729,12 @@ files_spool_filetrans(postfix_qmgr_t, po
>>>
>>> corecmd_exec_bin(postfix_qmgr_t)
>>>
>>> +optional_policy(`
>>> + dbus_send_system_bus(postfix_qmgr_t)
>>> + dbus_system_bus_client(postfix_qmgr_t)
>>> + init_dbus_chat(postfix_qmgr_t)
>>> +')
>>> +
>>>
>>> ########################################
>>> #
>>> # Showq local policy
>>>
>>> @@ -786,6 +813,12 @@ mta_read_aliases(postfix_smtpd_t)
>>>
>>> mta_map_aliases(postfix_smtpd_t)
>>>
>>> optional_policy(`
>>>
>>> + dbus_send_system_bus(postfix_smtp_t)
>>> + dbus_system_bus_client(postfix_smtp_t)
>>> + init_dbus_chat(postfix_smtp_t)
>>> +')
>>> +
>>> +optional_policy(`
>>>
>>> dovecot_stream_connect_auth(postfix_smtpd_t)
>>> dovecot_stream_connect(postfix_smtpd_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/ssh.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
>>> +++ refpolicy-2.20180701/policy/modules/services/ssh.te
>>> @@ -278,6 +278,7 @@ ifdef(`distro_debian',`
>>>
>>> ')
>>>
>>> ifdef(`init_systemd',`
>>>
>>> + init_dbus_chat(sshd_t)
>>>
>>> systemd_dbus_chat_logind(sshd_t)
>>> init_rw_stream_sockets(sshd_t)
>>>
>>> ')
>>>
>>> Index: refpolicy-2.20180701/policy/modules/services/tor.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/services/tor.te
>>> +++ refpolicy-2.20180701/policy/modules/services/tor.te
>>> @@ -108,6 +108,8 @@ files_read_etc_runtime_files(tor_t)
>>>
>>> files_read_usr_files(tor_t)
>>>
>>> fs_search_tmpfs(tor_t)
>>>
>>> +# for log symlink on a tmpfs filesystem systemd creates for it
>>> +fs_read_tmpfs_symlinks(tor_t)
>>>
>>> auth_use_nsswitch(tor_t)
>>>
>>> Index: refpolicy-2.20180701/policy/modules/system/systemd.fc
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.fc
>>> +++ refpolicy-2.20180701/policy/modules/system/systemd.fc
>>> @@ -50,6 +50,8 @@
>>>
>>> /run/\.nologin[^/]* --
> gen_context(system_u:object_r:systemd_sessions_va
>>> r_run_t,s0)
>>> /run/nologin -- gen_context(system_u:object_r:systemd_sessions_var_run_
>>> t,s0)>
>>> +/run/systemd/ask-password(/.*)? gen_context(system_u:object_r:systemd_pas
>>> swd_var_run_t,s0)
>>> +/run/systemd/ask-password-block(/.*)? gen_context(system_u:object_r:syst
>>> emd_passwd_var_run_t,s0)>
>>> /run/systemd/resolve(/.*)?
>>> gen_context(system_u:object_r:systemd_resolved_var_run_t,s0)
>>> /run/systemd/seats(/.*)? gen_context(system_u:object_r:systemd_sessions
>>> _var_run_t,s0)
>>> /run/systemd/sessions(/.*)? gen_context(system_u:object_r:systemd_sessi
>>> ons_var_run_t,s0)>
>>> Index: refpolicy-2.20180701/policy/modules/system/systemd.te
>>> ===================================================================
>>> --- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
>>> +++ refpolicy-2.20180701/policy/modules/system/systemd.te
>>> @@ -136,6 +136,7 @@ init_daemon_domain(systemd_notify_t, sys
>>>
>>> type systemd_nspawn_t;
>>> type systemd_nspawn_exec_t;
>>> init_system_domain(systemd_nspawn_t, systemd_nspawn_exec_t)
>>>
>>> +mcs_killall(systemd_nspawn_t)
>>>
>>> type systemd_nspawn_var_run_t;
>>> files_pid_file(systemd_nspawn_var_run_t)
>>>
>>> @@ -236,6 +237,7 @@ fs_register_binary_executable_type(syste
>>>
>>> #
>>>
>>> dev_read_sysfs(systemd_gpt_generator_t)
>>>
>>> +files_list_usr(systemd_gpt_generator_t)
>>>
>>> files_read_etc_files(systemd_gpt_generator_t)
>>> fs_getattr_xattr_fs(systemd_gpt_generator_t)
>>> storage_raw_read_fixed_disk(systemd_gpt_generator_t)
>>>
>>> @@ -387,7 +389,7 @@ logging_send_syslog_msg(systemd_log_pars
>>>
>>> # Logind local policy
>>> #
>>>
>>> -allow systemd_logind_t self:capability { chown dac_override fowner
>>> sys_admin sys_tty_config }; +allow systemd_logind_t self:capability {
>>> chown dac_override dac_read_search fowner sys_admin sys_tty_config };>
>>> allow systemd_logind_t self:process { getcap setfscreate };
>>> allow systemd_logind_t self:netlink_kobject_uevent_socket
>>> create_socket_perms; allow systemd_logind_t self:unix_dgram_socket
>>> create_socket_perms;>
>>> @@ -671,8 +673,8 @@ miscfiles_read_localization(systemd_noti
>>>
>>> # Nspawn local policy
>>> #
>>>
>>> -allow systemd_nspawn_t self:process { getcap setcap setfscreate sigkill
>>> };
>>> -allow systemd_nspawn_t self:capability { dac_override fsetid mknod
>>> net_admin setgid setuid setpcap sys_admin sys_chroot }; +allow
>>> systemd_nspawn_t self:process { getcap setcap setfscreate setrlimit
>>> sigkill }; +allow systemd_nspawn_t self:capability { dac_override
>>> dac_read_search fsetid mknod net_admin setgid setuid setpcap sys_admin
>>> sys_chroot };>
>>> allow systemd_nspawn_t self:capability2 wake_alarm;
>>> allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms;
>>>
>>> @@ -684,9 +686,11 @@ allow systemd_nspawn_t systemd_nspawn_va
>>>
>>> allow systemd_nspawn_t systemd_nspawn_var_run_t:file manage_file_perms;
>>> init_pid_filetrans(systemd_nspawn_t, systemd_nspawn_var_run_t, dir)
>>>
>>> -files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir })
>>> +files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_tmp_t, { dir file })
>>>
>>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir manage_dir_perms;
>>> allow systemd_nspawn_t systemd_nspawn_tmp_t:dir mounton;
>>>
>>> +# for /tmp/.#inaccessible*
>>> +allow systemd_nspawn_t systemd_nspawn_tmp_t:file manage_file_perms;
>>>
>>> # for /run/systemd/nspawn/incoming in chroot
>>> allow systemd_nspawn_t systemd_nspawn_var_run_t:dir mounton;
>>>
>>> @@ -720,6 +724,7 @@ files_manage_mnt_dirs(systemd_nspawn_t)
>>>
>>> files_mounton_mnt(systemd_nspawn_t)
>>> files_mounton_root(systemd_nspawn_t)
>>> files_mounton_tmp(systemd_nspawn_t)
>>>
>>> +files_read_kernel_symbol_table(systemd_nspawn_t)
>>>
>>> files_setattr_pid_dirs(systemd_nspawn_t)
>>>
>>> fs_getattr_tmpfs(systemd_nspawn_t)
>>>
>>> @@ -751,6 +756,7 @@ sysnet_manage_config(systemd_nspawn_t)
>>>
>>> userdom_manage_user_home_dirs(systemd_nspawn_t)
>>>
>>> tunable_policy(`systemd_nspawn_labeled_namespace',`
>>>
>>> + corecmd_exec_bin(systemd_nspawn_t)
>>>
>>> corecmd_exec_shell(systemd_nspawn_t)
>>>
>>> dev_mounton(systemd_nspawn_t)
>>>
>>> @@ -776,6 +782,7 @@ tunable_policy(`systemd_nspawn_labeled_n
>>>
>>> fs_write_cgroup_files(systemd_nspawn_t)
>>>
>>> selinux_getattr_fs(systemd_nspawn_t)
>>>
>>> + selinux_remount_fs(systemd_nspawn_t)
>>>
>>> selinux_search_fs(systemd_nspawn_t)
>>>
>>> init_domtrans(systemd_nspawn_t)
>>>
>>> @@ -845,6 +852,7 @@ miscfiles_read_localization(systemd_pass
>>>
>>> seutil_search_default_contexts(systemd_passwd_agent_t)
>>>
>>> +userdom_use_user_ttys(systemd_passwd_agent_t)
>>>
>>> userdom_use_user_ptys(systemd_passwd_agent_t)
>>>
>>> optional_policy(`
>>>
>>> @@ -926,7 +934,7 @@ systemd_log_parse_environment(systemd_se
>>>
>>> # Tmpfiles local policy
>>> #
>>>
>>> -allow systemd_tmpfiles_t self:capability { chown dac_override fowner
>>> fsetid mknod net_admin sys_admin }; +allow systemd_tmpfiles_t
>>> self:capability { chown dac_override dac_read_search fowner fsetid mknod
>>> net_admin sys_admin };>
>>> allow systemd_tmpfiles_t self:process { setfscreate getcap };
>>>
>>> allow systemd_tmpfiles_t systemd_coredump_var_lib_t:dir { relabelfrom
>>> relabelto manage_dir_perms };>
>>> @@ -942,9 +950,11 @@ allow systemd_tmpfiles_t systemd_journal
>>>
>>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms;
>>> allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file
>>> read_file_perms;
>>>
>>> +kernel_getattr_proc(systemd_tmpfiles_t)
>>>
>>> kernel_read_kernel_sysctls(systemd_tmpfiles_t)
>>> kernel_read_network_state(systemd_tmpfiles_t)
>>>
>>> +dev_getattr_fs(systemd_tmpfiles_t)
>>>
>>> dev_manage_all_dev_nodes(systemd_tmpfiles_t)
>>> dev_read_urand(systemd_tmpfiles_t)
>>> dev_relabel_all_sysfs(systemd_tmpfiles_t)
>>>
>>> @@ -960,6 +970,7 @@ files_manage_var_dirs(systemd_tmpfiles_t
>>>
>>> files_manage_var_lib_dirs(systemd_tmpfiles_t)
>>> files_purge_tmp(systemd_tmpfiles_t)
>>> files_read_etc_files(systemd_tmpfiles_t)
>>>
>>> +files_read_etc_runtime_files(systemd_tmpfiles_t)
>>>
>>> files_relabel_all_lock_dirs(systemd_tmpfiles_t)
>>> files_relabel_all_pid_dirs(systemd_tmpfiles_t)
>>> files_relabel_all_tmp_dirs(systemd_tmpfiles_t)
>
>
--
Chris PeBenito