Date:   Thu, 31 Jan 2019 13:58:52 +1100
From:   Russell Coker <russell@coker.com.au>
To:     "selinux-refpolicy@vger.kernel.org" 
        <selinux-refpolicy@vger.kernel.org>
Subject: [PATCH] more misc stuff
Message-ID: <20190131025852.GA15874@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
User-Agent: Mutt/1.10.1 (2018-07-13)
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk

Here's the latest stuff, most of which is to make staff_t usable as a login
domain.  Please merge whatever you think is good and skip the rest.

Index: refpolicy-2.20180701/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20180701/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_crypto_sysctls($1_t)
+	kernel_read_vm_overcommit_sysctl($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -110,11 +112,15 @@ template(`userdom_base_user_template',`
 
 	libs_exec_ld_so($1_t)
 
+	logging_send_syslog_msg($1_t)
+
 	miscfiles_read_localization($1_t)
 	miscfiles_read_generic_certs($1_t)
 
 	sysnet_read_config($1_t)
 
+	userdom_write_all_user_runtime_named_sockets($1_t)
+
 	# kdeinit wants systemd status
 	init_get_system_status($1_t)
 
@@ -858,6 +864,10 @@ template(`userdom_common_user_template',
 	')
 
 	optional_policy(`
+		udev_read_pid_files($1_t)
+	')
+
+	optional_policy(`
 		usernetctl_run($1_t, $1_r)
 	')
 
@@ -1205,6 +1215,12 @@ template(`userdom_unpriv_user_template',
 
 	optional_policy(`
 		systemd_dbus_chat_logind($1_t)
+		systemd_use_logind_fds($1_t)
+		# kwalletd5 inherits a socket from init
+		init_rw_inherited_stream_socket($1_t)
+		init_use_fds($1_t)
+		# for polkit-kde-auth
+		init_read_state($1_t)
 	')
 ')
 
@@ -3426,6 +3442,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##	write user runtime socket files
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	Create objects in the pid directory
 ##	with an automatic type transition to
Index: refpolicy-2.20180701/policy/modules/roles/staff.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/staff.te
+++ refpolicy-2.20180701/policy/modules/roles/staff.te
@@ -32,6 +32,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modemmanager_dbus_chat(staff_t)
+')
+
+optional_policy(`
 	postgresql_role(staff_r, staff_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/roles/unprivuser.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/roles/unprivuser.te
+++ refpolicy-2.20180701/policy/modules/roles/unprivuser.te
@@ -21,6 +21,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	modemmanager_dbus_chat(user_t)
+')
+
+optional_policy(`
 	screen_role_template(user, user_r, user_t)
 ')
 
Index: refpolicy-2.20180701/policy/modules/system/sysnetwork.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/sysnetwork.fc
+++ refpolicy-2.20180701/policy/modules/system/sysnetwork.fc
@@ -27,6 +27,7 @@ ifdef(`distro_debian',`
 /etc/dhcp3?/dhclient.*		gen_context(system_u:object_r:dhcp_etc_t,s0)
 
 /etc/systemd/network(/.*)?	gen_context(system_u:object_r:net_conf_t,s0)
+/etc/tor/torsocks.conf	--	gen_context(system_u:object_r:net_conf_t,s0)
 
 ifdef(`distro_redhat',`
 /etc/sysconfig/network-scripts/.*resolv\.conf -- gen_context(system_u:object_r:net_conf_t,s0)
Index: refpolicy-2.20180701/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20180701/policy/modules/system/systemd.te
@@ -1008,6 +1008,7 @@ files_create_lock_dirs(systemd_tmpfiles_
 files_manage_all_pid_dirs(systemd_tmpfiles_t)
 files_delete_usr_files(systemd_tmpfiles_t)
 files_list_home(systemd_tmpfiles_t)
+files_list_locks(systemd_tmpfiles_t)
 files_manage_generic_tmp_dirs(systemd_tmpfiles_t)
 files_manage_var_dirs(systemd_tmpfiles_t)
 files_manage_var_lib_dirs(systemd_tmpfiles_t)
@@ -1026,8 +1027,8 @@ files_relabelto_etc_dirs(systemd_tmpfile
 files_manage_etc_symlinks(systemd_tmpfiles_t)
 
 fs_getattr_tmpfs(systemd_tmpfiles_t)
-fs_getattr_tmpfs_dirs(systemd_tmpfiles_t)
 fs_getattr_xattr_fs(systemd_tmpfiles_t)
+fs_list_tmpfs(systemd_tmpfiles_t)
 
 selinux_get_fs_mount(systemd_tmpfiles_t)
 selinux_search_fs(systemd_tmpfiles_t)
Index: refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/kernel/corecommands.fc
+++ refpolicy-2.20180701/policy/modules/kernel/corecommands.fc
@@ -166,6 +166,7 @@ ifdef(`distro_gentoo',`
 
 /usr/lib/at-spi2-core(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/avahi/avahi-daemon-check-dns\.sh	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/bluetooth/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/bridge-utils/.*\.sh	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ccache/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/dhcpcd/dhcpcd-hooks(/.*)?	gen_context(system_u:object_r:bin_t,s0)
@@ -197,6 +198,7 @@ ifdef(`distro_gentoo',`
 /usr/lib/gvfs/gvfs.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/ipsec/.*		--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/kde4/libexec/.*	--	gen_context(system_u:object_r:bin_t,s0)
+/usr/lib/[^/]+/libexec/kf5/.*	--	gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/bin(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mailman/mail(/.*)?		gen_context(system_u:object_r:bin_t,s0)
 /usr/lib/mediawiki/math/texvc.*		gen_context(system_u:object_r:bin_t,s0)
Index: refpolicy-2.20180701/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20180701/policy/modules/apps/pulseaudio.te
@@ -148,7 +148,7 @@ miscfiles_read_localization(pulseaudio_t
 
 seutil_read_config(pulseaudio_t)
 
-userdom_read_user_tmpfs_files(pulseaudio_t)
+userdom_rw_user_tmpfs_files(pulseaudio_t)
 userdom_map_user_tmpfs_files(pulseaudio_t)
 userdom_delete_user_tmpfs_files(pulseaudio_t)
 userdom_search_user_home_dirs(pulseaudio_t)
@@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
 
 userdom_manage_user_tmp_dirs(pulseaudio_t)
 userdom_manage_user_tmp_sockets(pulseaudio_t)
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
 
 tunable_policy(`pulseaudio_execmem',`
 	allow pulseaudio_t self:process execmem;
@@ -225,6 +226,13 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_read_logind_sessions_files(pulseaudio_t)
+	# for /run/systemd/users/$PID
+	systemd_read_logind_pids(pulseaudio_t)
+	# for /run/user/1000/systemd/notify
+')
+
+optional_policy(`
 	udev_read_pid_files(pulseaudio_t)
 	udev_read_state(pulseaudio_t)
 	udev_read_db(pulseaudio_t)
Index: refpolicy-2.20180701/policy/modules/services/ssh.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/ssh.te
+++ refpolicy-2.20180701/policy/modules/services/ssh.te
@@ -178,6 +178,7 @@ logging_read_generic_logs(ssh_t)
 
 auth_use_nsswitch(ssh_t)
 
+miscfiles_read_generic_certs(ssh_t)
 miscfiles_read_localization(ssh_t)
 
 seutil_read_config(ssh_t)
Index: refpolicy-2.20180701/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20180701/policy/modules/services/xserver.if
@@ -90,6 +90,9 @@ interface(`xserver_restricted_role',`
 	# open office is looking for the following
 	dev_getattr_agp_dev($2)
 	dev_dontaudit_rw_dri($2)
+	tunable_policy(`xserver_allow_dri',`
+		dev_rw_dri($2)
+	')
 	# GNOME checks for usb and other devices:
 	dev_rw_usbfs($2)
 
Index: refpolicy-2.20180701/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20180701/policy/modules/services/xserver.te
@@ -55,6 +55,13 @@ gen_tunable(xserver_gnome_xdm, false)
 ## </desc>
 gen_tunable(xserver_object_manager, false)
 
+## <desc>
+## <p>
+## Allow DRI access
+## </p>
+## </desc>
+gen_tunable(xserver_allow_dri, false)
+
 attribute x_domain;
 
 # X Events
Index: refpolicy-2.20180701/policy/modules/system/locallogin.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/system/locallogin.te
+++ refpolicy-2.20180701/policy/modules/system/locallogin.te
@@ -209,6 +209,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	xserver_link_xdm_keys(local_login_t)
 	xserver_read_xdm_tmp_files(local_login_t)
 	xserver_rw_xdm_tmp_files(local_login_t)
 	xserver_rw_xdm_keys(local_login_t)
Index: refpolicy-2.20180701/policy/modules/apps/chromium.te
===================================================================
--- refpolicy-2.20180701.orig/policy/modules/apps/chromium.te
+++ refpolicy-2.20180701/policy/modules/apps/chromium.te
@@ -150,6 +150,7 @@ dev_read_sound(chromium_t)
 dev_write_sound(chromium_t)
 dev_read_urand(chromium_t)
 dev_read_rand(chromium_t)
+dev_rw_dri(chromium_t)
 dev_rw_xserver_misc(chromium_t)
 dev_map_xserver_misc(chromium_t)