Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp2213911ybb;
        Sun, 5 Apr 2020 01:43:13 -0700 (PDT)
X-Google-Smtp-Source: APiQypK4g1r0n3rnmM2sod1B7W1ve1QuM643cktAz926qfqK2UgKQzt6VRjxrTa5dyGv0jgl24Kg
X-Received: by 2002:aca:3089:: with SMTP id w131mr9130151oiw.121.1586076193779;
        Sun, 05 Apr 2020 01:43:13 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586076193; cv=none;
        d=google.com; s=arc-20160816;
        b=OAg/bEn2lpTj1ymsyn9GNnB4XwlSUJudkz/vpZXiTKb6W5PuRdtTq9cJfdO6hJo0dR
         Pq+SC7jajnd7MOAuBfefITwyrAoOFhFfCLSPXXL57lDlj3inDTGYOUHK1GhzcyZb3p4S
         3WNMMB1xGwL9mAsGrAEDaSQMGDFj+JDC1izIsbMZuiWcWmyIUylltUn2bBd2Tbpv/DvN
         rJ02AVJvoVLy5rILrto87BqSOppJmwCOBMWz49SKco/KFf8qKSoh5cJ5O1yHZ98qnZeF
         57MPMDde2OwXEG1R2klA6jcpoJUNCYomSeR2S9wbkEKd7ZCn9RDbU5ldWfBV+ApXiWND
         LRrg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-disposition:mime-version
         :message-id:subject:to:from:date:dkim-signature;
        bh=WkGoAOgEfqrA6PtUOEd4J93V73o95Vg9xo1IggE4qoI=;
        b=TUukyiV6fOocrFlfQV7sVgbBxaK9cEH79X2HYWwGx/Yp6aBalx9CV+A+c4Qw55Gi96
         TphZeFMS7UBDlyPhZzt3bHeDFeAVzqokdmtOjh3RiEMlf7Di8oFDdcYa/E9a/4XQb9Gp
         K3IU7VfV96CKfmTyPpydnpJPwg3rWXdMQ3jdy/rQn1QBJG3IiVa62CVnl3+O8/ugDZdQ
         FLKncSCKPQnGYYRpKQ2KDaj40YX9+zEzDWel1myVyYHbZV1ygIzvsnDHHzTTY758O8i2
         kDxDetJ/xpkSGM6aP1ijJLcS0EXnS2Dxl/QOwF8EbeXBqOUYf+4nW1gEUa9GFs7iO1x7
         1REQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b="Q/aovimh";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id e13si6253245oom.86.2020.04.05.01.43.11;
        Sun, 05 Apr 2020 01:43:13 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b="Q/aovimh";
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1726399AbgDEInL (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Sun, 5 Apr 2020 04:43:11 -0400
Received: from smtp.sws.net.au ([46.4.88.250]:45100 "EHLO smtp.sws.net.au"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1726364AbgDEInL (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sun, 5 Apr 2020 04:43:11 -0400
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id 86B29F398
        for <selinux-refpolicy@vger.kernel.org>; Sun,  5 Apr 2020 18:43:08 +1000 (AEST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1586076188;
        bh=WkGoAOgEfqrA6PtUOEd4J93V73o95Vg9xo1IggE4qoI=; l=3704;
        h=Date:From:To:Subject:From;
        b=Q/aovimh2G1onVwQUTc8Vnzkv9x9OWHp5YDa2YHpqniwk1cEd1n3qdNjXoIWLK+wu
         Zs3onlw+vHCOAL/e1oAnlxZS9kN6cUJwjICB8PTjsMPYAEAHdIDSrkwSiI/5sILqov
         +UlTmoCFRIG9zyPLora1UVaKrWYzMH6NMV+oLyQk=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 1A9C2FF29BE; Sun,  5 Apr 2020 18:43:03 +1000 (AEST)
Date:   Sun, 5 Apr 2020 18:43:03 +1000
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: latest memlockd patch
Message-ID: <20200405084303.GB177560@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Patch for memlockd policy against latest git.

Signed-off-by: Russell Coker <russell@coker.com.au>


Index: refpolicy-2.20200405/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20200405/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20200405/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20200405/policy/modules/services/memlockd.te
@@ -0,0 +1,42 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+allow memlockd_t self:fifo_file rw_file_perms;
+allow memlockd_t self:unix_dgram_socket { create connect };
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
+files_read_etc_files(memlockd_t)
+
+# for ldd
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+
+corecmd_search_bin(memlockd_t)
+files_map_etc_files(memlockd_t)
+# has to exec for ldd
+corecmd_exec_all_executables(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+
+miscfiles_read_localization(memlockd_t)
+
Index: refpolicy-2.20200405/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20200405/policy/modules/system/sysnetwork.if
@@ -391,6 +391,31 @@ interface(`sysnet_mmap_config_files',`
 
 #######################################
 ## <summary>
+##	map network config files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to mmap the
+##	general network configuration files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file { read_file_perms map };
+')
+
+#######################################
+## <summary>
 ##	Do not audit attempts to read network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20200405/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20200405.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20200405/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
 
 ########################################
 ## <summary>
+##	Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+	allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
 ##	Pass shadow assertion for reading.
 ## </summary>
 ## <desc>