Return-Path: <SRS0=H8bE=PM=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,
	URIBL_BLOCKED,USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 43650C43387
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  4 Jan 2019 07:34:06 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id F32A62184B
	for <selinux-refpolicy@archiver.kernel.org>; Fri,  4 Jan 2019 07:34:05 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="RyrzTN8k"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726199AbfADHeF (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Fri, 4 Jan 2019 02:34:05 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:39606 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726036AbfADHeF (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Fri, 4 Jan 2019 02:34:05 -0500
Received: from liv.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 32377EE69
        for <selinux-refpolicy@vger.kernel.org>; Fri,  4 Jan 2019 18:34:03 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1546587243;
        bh=BJbi6eS2pfDJPP4DAYMwBskp/B5DJOgY0XYL/P7tWpQ=; l=10933;
        h=Date:From:To:Subject:From;
        b=RyrzTN8k0M2Q6hMVb3Mv0KwT5AflvFBZtBsA7DUf7CBdwlOUNho9ZtpZabpD4kYSL
         8vjuKt26DPyhU7D4sWzJZaFJ0LsESN02/2ZMYkevxBDJ2zYNcjf6KMjgpZfSZKPW1y
         nrM8YSwAbG96WP34rQt0jf5ptz+LZXOXZxd5JF/0=
Received: by liv.coker.com.au (Postfix, from userid 1000)
        id 4019E2D1E72; Fri,  4 Jan 2019 18:33:57 +1100 (AEDT)
Date:   Fri, 4 Jan 2019 18:33:57 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] misc services patches
Message-ID: <20190104073357.GB11256@aaa.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Lots of little patches to services.

Index: refpolicy-2.20180701/policy/modules/services/boinc.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/boinc.te
+++ refpolicy-2.20180701/policy/modules/services/boinc.te
@@ -47,7 +47,7 @@ files_tmp_file(boinc_project_tmp_t)
 # Local policy
 #
 
-allow boinc_t self:process { setsched setpgid signull sigkill };
+allow boinc_t self:process { setsched setpgid signull sigkill signal };
 allow boinc_t self:unix_stream_socket { accept listen };
 allow boinc_t self:tcp_socket { accept listen };
 allow boinc_t self:shm create_shm_perms;
@@ -80,12 +80,15 @@ logging_log_filetrans(boinc_t, boinc_log
 
 can_exec(boinc_t, boinc_var_lib_t)
 libs_exec_lib_files(boinc_t)
+# for mmap of ld.so.cache
+libs_legacy_use_ld_so(boinc_t)
 
 domtrans_pattern(boinc_t, boinc_project_var_lib_t, boinc_project_t)
 
 kernel_read_system_state(boinc_t)
 kernel_search_vm_sysctl(boinc_t)
 kernel_read_crypto_sysctls(boinc_t)
+kernel_read_kernel_sysctls(boinc_t)
 
 corenet_all_recvfrom_unlabeled(boinc_t)
 corenet_all_recvfrom_netlabel(boinc_t)
@@ -142,6 +145,7 @@ init_read_utmp(boinc_t)
 logging_send_syslog_msg(boinc_t)
 
 miscfiles_read_fonts(boinc_t)
+miscfiles_read_generic_certs(boinc_t)
 miscfiles_read_localization(boinc_t)
 
 tunable_policy(`boinc_execmem',`
@@ -210,5 +214,18 @@ term_getattr_generic_ptys(boinc_t)
 userdom_getattr_user_ttys(boinc_t)
 
 optional_policy(`
+	# for lsb_release -a
+	apt_read_cache(boinc_t)
+	apt_read_db(boinc_t)
+	dpkg_exec(boinc_t)
+	dpkg_read_db(boinc_t)
+
+	apt_read_cache(boinc_project_t)
+	apt_read_db(boinc_project_t)
+	dpkg_exec(boinc_project_t)
+	dpkg_read_db(boinc_project_t)
+')
+
+optional_policy(`
 	java_exec(boinc_project_t)
 ')
Index: refpolicy-2.20180701/policy/modules/services/consolekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/consolekit.te
+++ refpolicy-2.20180701/policy/modules/services/consolekit.te
@@ -27,7 +27,7 @@ init_daemon_pid_file(consolekit_var_run_
 # Local policy
 #
 
-allow consolekit_t self:capability { chown dac_override fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
+allow consolekit_t self:capability { chown dac_override dac_read_search fowner setgid setuid sys_admin sys_nice sys_ptrace sys_tty_config };
 allow consolekit_t self:process { getsched signal setfscreate };
 allow consolekit_t self:fifo_file rw_fifo_file_perms;
 allow consolekit_t self:unix_stream_socket { accept listen };
Index: refpolicy-2.20180701/policy/modules/services/devicekit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/devicekit.te
+++ refpolicy-2.20180701/policy/modules/services/devicekit.te
@@ -43,6 +43,7 @@ files_pid_filetrans(devicekit_t, devicek
 kernel_read_system_state(devicekit_t)
 
 dev_read_sysfs(devicekit_t)
+dev_read_rand(devicekit_t)
 dev_read_urand(devicekit_t)
 
 files_read_etc_files(devicekit_t)
Index: refpolicy-2.20180701/policy/modules/services/dictd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/dictd.te
+++ refpolicy-2.20180701/policy/modules/services/dictd.te
@@ -74,6 +74,10 @@ miscfiles_read_localization(dictd_t)
 userdom_dontaudit_use_unpriv_user_fds(dictd_t)
 
 optional_policy(`
+	dbus_system_bus_client(dictd_t)
+')
+
+optional_policy(`
 	seutil_sigchld_newrole(dictd_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/services/fetchmail.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/fetchmail.te
+++ refpolicy-2.20180701/policy/modules/services/fetchmail.te
@@ -78,6 +78,7 @@ dev_read_rand(fetchmail_t)
 dev_read_urand(fetchmail_t)
 
 files_read_etc_runtime_files(fetchmail_t)
+files_read_usr_files(fetchmail_t)
 files_search_tmp(fetchmail_t)
 files_dontaudit_search_home(fetchmail_t)
 
Index: refpolicy-2.20180701/policy/modules/services/gdomap.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.fc
+++ refpolicy-2.20180701/policy/modules/services/gdomap.fc
@@ -5,3 +5,4 @@
 /usr/bin/gdomap	--	gen_context(system_u:object_r:gdomap_exec_t,s0)
 
 /run/gdomap\.pid	--	gen_context(system_u:object_r:gdomap_var_run_t,s0)
+/run/gdomap(/.*)?		gen_context(system_u:object_r:gdomap_var_run_t,s0)
Index: refpolicy-2.20180701/policy/modules/services/gdomap.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/gdomap.te
+++ refpolicy-2.20180701/policy/modules/services/gdomap.te
@@ -27,6 +27,8 @@ allow gdomap_t self:capability { net_bin
 allow gdomap_t self:tcp_socket { listen accept };
 
 allow gdomap_t gdomap_var_run_t:file manage_file_perms;
+# gdomap_var_run_t dir is for chroot
+allow gdomap_t gdomap_var_run_t:dir search;
 files_pid_filetrans(gdomap_t, gdomap_var_run_t, file, "gdomap.pid")
 
 corenet_sendrecv_gdomap_server_packets(gdomap_t)
@@ -44,3 +46,5 @@ files_search_tmp(gdomap_t)
 auth_use_nsswitch(gdomap_t)
 
 logging_send_syslog_msg(gdomap_t)
+
+miscfiles_read_localization(gdomap_t)
Index: refpolicy-2.20180701/policy/modules/services/irqbalance.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/irqbalance.te
+++ refpolicy-2.20180701/policy/modules/services/irqbalance.te
@@ -45,6 +45,7 @@ files_read_etc_runtime_files(irqbalance_
 
 fs_getattr_all_fs(irqbalance_t)
 fs_search_auto_mountpoints(irqbalance_t)
+fs_search_tmpfs(irqbalance_t)
 
 domain_use_interactive_fds(irqbalance_t)
 
Index: refpolicy-2.20180701/policy/modules/services/jabber.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/jabber.te
+++ refpolicy-2.20180701/policy/modules/services/jabber.te
@@ -38,6 +38,7 @@ allow jabberd_domain self:fifo_file rw_f
 allow jabberd_domain self:tcp_socket { accept listen };
 
 manage_files_pattern(jabberd_domain, jabberd_var_lib_t, jabberd_var_lib_t)
+allow jabberd_domain jabberd_var_lib_t:dir manage_dir_perms;
 
 kernel_read_system_state(jabberd_domain)
 
@@ -46,6 +47,7 @@ corenet_all_recvfrom_netlabel(jabberd_do
 corenet_tcp_sendrecv_generic_if(jabberd_domain)
 corenet_tcp_sendrecv_generic_node(jabberd_domain)
 corenet_tcp_bind_generic_node(jabberd_domain)
+corenet_udp_bind_generic_node(jabberd_domain)
 
 dev_read_urand(jabberd_domain)
 dev_read_sysfs(jabberd_domain)
Index: refpolicy-2.20180701/policy/modules/services/mon.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/mon.te
+++ refpolicy-2.20180701/policy/modules/services/mon.te
@@ -161,6 +161,7 @@ optional_policy(`
 
 allow mon_local_test_t self:capability sys_admin;
 allow mon_local_test_t self:fifo_file rw_file_perms;
+allow mon_local_test_t self:process getsched;
 
 can_exec(mon_local_test_t, mon_local_test_exec_t)
 
@@ -168,6 +169,8 @@ manage_files_pattern(mon_local_test_t, m
 
 kernel_dontaudit_getattr_core_if(mon_local_test_t)
 kernel_getattr_proc(mon_local_test_t)
+# for ps
+kernel_read_kernel_sysctls(mon_local_test_t)
 kernel_read_software_raid_state(mon_local_test_t)
 kernel_read_system_state(mon_local_test_t)
 
@@ -207,6 +210,7 @@ init_getattr_initctl(mon_local_test_t)
 
 logging_send_syslog_msg(mon_local_test_t)
 
+miscfiles_read_generic_certs(mon_t)
 miscfiles_read_localization(mon_local_test_t)
 
 sysnet_read_config(mon_local_test_t)
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -57,6 +57,7 @@ allow NetworkManager_t self:tcp_socket {
 allow NetworkManager_t self:tun_socket { create_socket_perms relabelfrom relabelto };
 allow NetworkManager_t self:packet_socket create_socket_perms;
 allow NetworkManager_t self:socket create_socket_perms;
+allow NetworkManager_t self:rawip_socket { create setopt getattr write read };
 
 allow NetworkManager_t wpa_cli_t:unix_dgram_socket sendto;
 
Index: refpolicy-2.20180701/policy/modules/services/policykit.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/policykit.te
+++ refpolicy-2.20180701/policy/modules/services/policykit.te
@@ -108,6 +108,7 @@ userdom_read_all_users_state(policykit_t
 
 optional_policy(`
 	dbus_system_domain(policykit_t, policykit_exec_t)
+	init_dbus_chat(policykit_t)
 
 	userdom_dbus_send_all_users(policykit_t)
 
Index: refpolicy-2.20180701/policy/modules/services/postfix.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/postfix.te
+++ refpolicy-2.20180701/policy/modules/services/postfix.te
@@ -372,6 +372,10 @@ manage_dirs_pattern(postfix_bounce_t, po
 manage_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 manage_lnk_files_pattern(postfix_bounce_t, postfix_spool_bounce_t, postfix_spool_bounce_t)
 
+optional_policy(`
+	init_dbus_chat(postfix_bounce_t)
+')
+
 ########################################
 #
 # Cleanup local policy
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -248,6 +248,9 @@ optional_policy(`
 # sshd_t is the domain for the sshd program.
 #
 
+# for /run/user/UID/bus access, probably pam_systemd.so
+allow sshd_t self:capability dac_read_search;
+
 # so a tunnel can point to another ssh tunnel
 allow sshd_t self:netlink_route_socket r_netlink_socket_perms;
 allow sshd_t self:key { search link write };
Index: refpolicy-2.20180701/policy/modules/services/tor.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/tor.te
+++ refpolicy-2.20180701/policy/modules/services/tor.te
@@ -99,6 +99,7 @@ corenet_tcp_sendrecv_all_ports(tor_t)
 corenet_tcp_sendrecv_all_reserved_ports(tor_t)
 
 dev_read_sysfs(tor_t)
+dev_read_rand(tor_t)
 dev_read_urand(tor_t)
 
 domain_use_interactive_fds(tor_t)
@@ -112,6 +113,7 @@ auth_use_nsswitch(tor_t)
 
 logging_send_syslog_msg(tor_t)
 
+miscfiles_read_generic_certs(tor_t)
 miscfiles_read_localization(tor_t)
 
 tunable_policy(`tor_bind_all_unreserved_ports',`