Return-Path: <SRS0=EjqS=P6=vger.kernel.org=selinux-refpolicy-owner@kernel.org>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
X-Spam-Level: 
X-Spam-Status: No, score=-2.6 required=3.0 tests=DKIM_SIGNED,DKIM_VALID,
	DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS,
	USER_AGENT_MUTT autolearn=ham autolearn_force=no version=3.4.0
Received: from mail.kernel.org (mail.kernel.org [198.145.29.99])
	by smtp.lore.kernel.org (Postfix) with ESMTP id 75C00C282C3
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 22 Jan 2019 09:00:38 +0000 (UTC)
Received: from vger.kernel.org (vger.kernel.org [209.132.180.67])
	by mail.kernel.org (Postfix) with ESMTP id 3C08120854
	for <selinux-refpolicy@archiver.kernel.org>; Tue, 22 Jan 2019 09:00:38 +0000 (UTC)
Authentication-Results: mail.kernel.org;
	dkim=pass (1024-bit key) header.d=coker.com.au header.i=@coker.com.au header.b="meyN9EgQ"
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1727585AbfAVJAi (ORCPT
        <rfc822;selinux-refpolicy@archiver.kernel.org>);
        Tue, 22 Jan 2019 04:00:38 -0500
Received: from smtp.sws.net.au ([46.4.88.250]:55164 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1727474AbfAVJAh (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 22 Jan 2019 04:00:37 -0500
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id B7051EDB4
        for <selinux-refpolicy@vger.kernel.org>; Tue, 22 Jan 2019 20:00:33 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1548147634;
        bh=YwpolwibU8MadY3/rcs+37GlHuN8g815wW6oGLH54Ac=; l=6639;
        h=Date:From:To:Subject:From;
        b=meyN9EgQrWoHWs0z10cas32Kv8+HgrbVgjLzF/wvZ4smztT7kFrq+LBVfrtviaCuI
         h/RzvbDeHjG8ZqISycLjHf+4vz7VFrn9R1IHyMAKW1KKILLEXcGXinpA3ueqtzCsDz
         tbdQTU9xxR/lmSZASVdJLfGlWhIFSLhXYdMEMwEs=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id C8AF1C67FB2; Tue, 22 Jan 2019 20:00:28 +1100 (AEDT)
Date:   Tue, 22 Jan 2019 20:00:28 +1100
From:   Russell Coker <russell@coker.com.au>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] tiny stuff for today
Message-ID: <20190122090028.GA6927@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Allow transition to dpkg_t with nnp, Dominick seems to imply this shouldn't
be necessary.

Lots of little stuff for system_cronjob_t.

Other minor trivial changes that should be obvious.

Index: refpolicy-2.20180701/policy/modules/admin/dpkg.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/admin/dpkg.if
+++ refpolicy-2.20180701/policy/modules/admin/dpkg.if
@@ -337,3 +337,21 @@ interface(`dpkg_read_script_tmp_symlinks
 
 	allow $1 dpkg_script_tmp_t:lnk_file read_lnk_file_perms;
 ')
+
+########################################
+## <summary>
+##	Transition to dpkg_t when NNP has been set
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`dpkg_nnp_transition',`
+	gen_require(`
+		type dpkg_t;
+	')
+
+	allow $1 dpkg_t:process2 nnp_transition;
+')
Index: refpolicy-2.20180701/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/cron.te
+++ refpolicy-2.20180701/policy/modules/services/cron.te
@@ -456,8 +456,8 @@ optional_policy(`
 # System local policy
 #
 
-allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice };
-allow system_cronjob_t self:process { signal_perms getsched setsched };
+allow system_cronjob_t self:capability { chown dac_override dac_read_search fowner fsetid net_admin net_bind_service setgid setuid sys_nice sys_resource };
+allow system_cronjob_t self:process { signal_perms getsched setsched setrlimit };
 allow system_cronjob_t self:fd use;
 allow system_cronjob_t self:fifo_file rw_fifo_file_perms;
 allow system_cronjob_t self:passwd rootok;
@@ -499,6 +499,7 @@ kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
 kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
 kernel_read_system_state(system_cronjob_t)
@@ -535,6 +536,7 @@ fs_getattr_all_sockets(system_cronjob_t)
 domain_dontaudit_read_all_domains_state(system_cronjob_t)
 
 files_exec_etc_files(system_cronjob_t)
+files_exec_usr_files(system_cronjob_t)
 files_read_etc_runtime_files(system_cronjob_t)
 files_list_all(system_cronjob_t)
 files_getattr_all_dirs(system_cronjob_t)
@@ -561,7 +563,7 @@ auth_use_nsswitch(system_cronjob_t)
 libs_exec_lib_files(system_cronjob_t)
 libs_exec_ld_so(system_cronjob_t)
 
-logging_read_generic_logs(system_cronjob_t)
+logging_manage_generic_logs(system_cronjob_t)
 logging_send_audit_msgs(system_cronjob_t)
 logging_send_syslog_msg(system_cronjob_t)
 
@@ -675,6 +677,9 @@ optional_policy(`
 
 optional_policy(`
 	userdom_user_home_dir_filetrans_user_home_content(system_cronjob_t, { dir file lnk_file fifo_file sock_file })
+
+	# for gpg-connect-agent to access /run/user/0
+	userdom_manage_user_runtime_dirs(system_cronjob_t)
 ')
 
 ########################################
Index: refpolicy-2.20180701/policy/modules/services/networkmanager.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/networkmanager.te
+++ refpolicy-2.20180701/policy/modules/services/networkmanager.te
@@ -89,7 +89,7 @@ manage_files_pattern(NetworkManager_t, N
 manage_sock_files_pattern(NetworkManager_t, NetworkManager_var_run_t, NetworkManager_var_run_t)
 files_pid_filetrans(NetworkManager_t, NetworkManager_var_run_t, { dir file sock_file })
 
-can_exec(NetworkManager_t, { NetworkManager_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
+can_exec(NetworkManager_t, { NetworkManager_exec_t NetworkManager_initrc_exec_t wpa_cli_exec_t NetworkManager_tmp_t })
 
 kernel_read_crypto_sysctls(NetworkManager_t)
 kernel_read_system_state(NetworkManager_t)
@@ -136,6 +136,9 @@ dev_dontaudit_getattr_generic_blk_files(
 dev_getattr_all_chr_files(NetworkManager_t)
 dev_rw_wireless(NetworkManager_t)
 
+# for access(2)
+dev_write_sysfs_dirs(NetworkManager_t)
+
 domain_use_interactive_fds(NetworkManager_t)
 domain_read_all_domains_state(NetworkManager_t)
 
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -147,6 +147,7 @@ type xauth_t;
 type xauth_exec_t;
 typealias xauth_t alias { user_xauth_t staff_xauth_t sysadm_xauth_t };
 typealias xauth_t alias { auditadm_xauth_t secadm_xauth_t };
+userdom_manage_user_tmp_dirs(xauth_t)
 userdom_user_application_domain(xauth_t, xauth_exec_t)
 
 type xauth_home_t;
@@ -308,6 +309,7 @@ userdom_use_user_terminals(xauth_t)
 userdom_read_user_tmp_files(xauth_t)
 
 xserver_rw_xdm_tmp_files(xauth_t)
+xserver_stream_connect(xauth_t)
 
 tunable_policy(`use_nfs_home_dirs',`
 	fs_manage_nfs_files(xauth_t)
Index: refpolicy-2.20180701/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20180701/policy/modules/system/unconfined.te
@@ -89,6 +89,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dpkg_nnp_transition(unconfined_t)
 	dpkg_run(unconfined_t, unconfined_r)
 ')
 
Index: refpolicy-2.20180701/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180701/policy/modules/system/modutils.te
@@ -102,6 +102,7 @@ files_manage_kernel_modules(kmod_t)
 
 fs_getattr_xattr_fs(kmod_t)
 fs_dontaudit_use_tmpfs_chr_dev(kmod_t)
+fs_search_tracefs(kmod_t)
 
 init_rw_initctl(kmod_t)
 init_use_fds(kmod_t)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -753,7 +753,8 @@ fs_getattr_tmpfs(systemd_nspawn_t)
 fs_manage_tmpfs_chr_files(systemd_nspawn_t)
 fs_mount_tmpfs(systemd_nspawn_t)
 fs_remount_tmpfs(systemd_nspawn_t)
-fs_search_cgroup_dirs(systemd_nspawn_t)
+fs_remount_xattr_fs(systemd_nspawn_t)
+fs_read_cgroup_files(systemd_nspawn_t)
 
 term_getattr_generic_ptys(systemd_nspawn_t)
 term_getattr_pty_fs(systemd_nspawn_t)