Received: by 2002:a25:6193:0:0:0:0:0 with SMTP id v141csp4551577ybb;
        Tue, 14 Apr 2020 09:27:25 -0700 (PDT)
X-Google-Smtp-Source: APiQypI+av+fdV/RU7iBGNrvzr/Hq6eyu7pX6RYaAaRexu/PvXyNGwSQaVVYuJkollyuQeMRgT5r
X-Received: by 2002:aa7:d5c6:: with SMTP id d6mr21129461eds.91.1586881644887;
        Tue, 14 Apr 2020 09:27:24 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1586881644; cv=none;
        d=google.com; s=arc-20160816;
        b=X+eSKiqy885nkdl5Ieq7ggx9St78PldaFTKKxHc0X7AM9aOv/dlRHETDpp4y//6Y5d
         TcE2wMiDI4Jl6Dms1sSb2MsKRZyuzDz+vNPWSyIPtgqT3LX0dj1vzkCJgY9tuPIBM0mn
         UJ5d9vax1/ffIS9C7xJsLQIZvrq9qklOzUJXydRz0pwJFoWS/KFWgbIm0H/tUmnevsDJ
         SF6GXRmazepJZ7wpitXbjhNDwynSfJFIKERgEybLV6waykYowE92bBCkP/EbXTfoO0Wt
         oC/TBaEyHsm6TgHW7U9xOgaOcHpPS3fXS46kruf90k+ZqNgajPrqQ4sPvgDPRDoBcFzm
         4zOg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding
         :content-language:in-reply-to:mime-version:user-agent:date
         :message-id:from:references:to:subject:dkim-signature;
        bh=t4BeTVv6lfJgVb8MZpOLu02720TLJJQEN0f3p11LDSM=;
        b=gUfeyyNnJhL3HUrGf3Ae0NwQnmZV/Jltog9+shmB2IVNLwO0/ck2WpLdah0FyOkzr9
         +oGMoxk8bH8alAfYuASlvNqd/Mf2fIMnX2Il/rVOH2pfXtjC4S/Tg/Z3+w7+luqa+PtK
         AA6SqtvEPuJ3ymJHWpSOSEFlR2OFvhRP2vTK5RckBBbRS5SYZAksDm4Y+nAyGWLoYNsE
         J/hkZ+Jg6yhsYsHdqCcX+o7VxiUKkNkHDajqWR0sa5y2l1/EZqYKQOewGSYz46wWFShS
         4g4P5B7kRrBM5a95YljwDIliN4PKZDsfvKpZlsPV/sUpfmqTZ0qbZO3qr+KkxeCXN+zb
         niZA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=e72wIpew;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id dn8si2194494edb.142.2020.04.14.09.27.21;
        Tue, 14 Apr 2020 09:27:24 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@ieee.org header.s=google header.b=e72wIpew;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=ieee.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S2407282AbgDNPGh (ORCPT <rfc822;toiwoton@gmail.com> + 13 others);
        Tue, 14 Apr 2020 11:06:37 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:44140 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S2407186AbgDNPG0 (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Tue, 14 Apr 2020 11:06:26 -0400
Received: from mail-qv1-xf41.google.com (mail-qv1-xf41.google.com [IPv6:2607:f8b0:4864:20::f41])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 63AA6C061A0C
        for <selinux-refpolicy@vger.kernel.org>; Tue, 14 Apr 2020 08:06:26 -0700 (PDT)
Received: by mail-qv1-xf41.google.com with SMTP id ef12so6319459qvb.11
        for <selinux-refpolicy@vger.kernel.org>; Tue, 14 Apr 2020 08:06:26 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=ieee.org; s=google;
        h=subject:to:references:from:message-id:date:user-agent:mime-version
         :in-reply-to:content-language:content-transfer-encoding;
        bh=t4BeTVv6lfJgVb8MZpOLu02720TLJJQEN0f3p11LDSM=;
        b=e72wIpewhDZXfwd33Nqt46teKvsb04wFpdIUPIglRy9wf4yYQ+jvJPfz8ApnaGxK7u
         uZvqhzVzdWxNvJQuaAJhjlEveM9ZtUIGrCws+bQts/dN7u0rYUyJPsF16usSWVFIVY8S
         UVo3nBQG+fHK80idTVDHF49TjO9dLeD6N/o0M=
X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
        d=1e100.net; s=20161025;
        h=x-gm-message-state:subject:to:references:from:message-id:date
         :user-agent:mime-version:in-reply-to:content-language
         :content-transfer-encoding;
        bh=t4BeTVv6lfJgVb8MZpOLu02720TLJJQEN0f3p11LDSM=;
        b=T3KLA21Jq6AcMOPKrMVFEc57cuNzBRSQFhXdGCHZXhUX4Sld0Z1jAFHlieT3DjngeJ
         k68ZK/D2kIfMz3sdiFveyQs0+S5qBoFfju7NuQiFsvetFPRBbALeCrTvmC4MD9Q/grgh
         eVa1BaWoraWAKx1R3gFiNpKLoMgMPt9u+Iarb/lxV6TT0QAKE63aIolZXA1LcNJ9SNdd
         XeWO059JKLybzBSddZV6lFI5R/+U3nDgL+4rGyRvV93akxQmzOh9xQ/DRsTyrTliWOb2
         +BEXBwne3kAgdz07zdcoXFe9Mvzqhrm11nkNoeCfVVXH86DN63zlcK2ArHrtd1jYQqwf
         DKog==
X-Gm-Message-State: AGi0PuangVKqFquTiyRiXPSajskHOA8OC0IjwH+kxeU/mo7IiIckr7G5
        6BGr3zNLmYtFUv/sbtvpIpbjc0Xvhp0=
X-Received: by 2002:a0c:9e2f:: with SMTP id p47mr361379qve.211.1586876785023;
        Tue, 14 Apr 2020 08:06:25 -0700 (PDT)
Received: from fedora.pebenito.net (pool-108-15-23-247.bltmmd.fios.verizon.net. [108.15.23.247])
        by smtp.gmail.com with ESMTPSA id j92sm5543398qtd.58.2020.04.14.08.06.24
        (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128);
        Tue, 14 Apr 2020 08:06:24 -0700 (PDT)
Subject: Re: strict patch again with controversial sections removed
To:     Russell Coker <russell@coker.com.au>,
        selinux-refpolicy@vger.kernel.org
References: <20200410065749.GA113012@xev>
From:   Chris PeBenito <pebenito@ieee.org>
Message-ID: <8a7a5e84-669c-f4d6-2758-c256150920b0@ieee.org>
Date:   Tue, 14 Apr 2020 10:52:29 -0400
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101
 Thunderbird/68.6.0
MIME-Version: 1.0
In-Reply-To: <20200410065749.GA113012@xev>
Content-Type: text/plain; charset=utf-8; format=flowed
Content-Language: en-US
Content-Transfer-Encoding: 7bit
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

On 4/10/20 2:57 AM, Russell Coker wrote:
> Signed-off-by: Russell Coker <russell@coker.com.au>
> 
> 
> Index: refpolicy-2.20200410/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20200410/policy/modules/system/userdomain.if
> @@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
>   	dontaudit $1_t user_tty_device_t:chr_file ioctl;
>   
>   	kernel_read_kernel_sysctls($1_t)
> +	kernel_read_crypto_sysctls($1_t)
> +	kernel_read_vm_overcommit_sysctl($1_t)
>   	kernel_dontaudit_list_unlabeled($1_t)
>   	kernel_dontaudit_getattr_unlabeled_files($1_t)
>   	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
> Index: refpolicy-2.20200410/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20200410/policy/modules/roles/sysadm.te
> @@ -57,6 +57,9 @@ selinux_read_policy(sysadm_t)
>   userdom_manage_user_home_dirs(sysadm_t)
>   userdom_home_filetrans_user_home_dir(sysadm_t)
>   
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)

Should go up in the init_systemd block.

>   ifdef(`direct_sysadm_daemon',`
>   	optional_policy(`
>   		init_run_daemon(sysadm_t, sysadm_r)
> @@ -1119,6 +1122,10 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
>   	tboot_run_txtstat(sysadm_t, sysadm_r)
>   ')
>   
> @@ -1186,6 +1193,7 @@ optional_policy(`
>   ')
>   
>   optional_policy(`
> +	dev_rw_generic_usb_dev(sysadm_t)
>   	usbmodules_run(sysadm_t, sysadm_r)
>   ')
>   
> Index: refpolicy-2.20200410/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200410/policy/modules/services/xserver.if
> @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
>   	xserver_xsession_entry_type($2)
>   	xserver_dontaudit_write_log($2)
>   	xserver_stream_connect_xdm($2)
> +	xserver_use_user_fonts($2)
>   	# certain apps want to read xdm.pid file
>   	xserver_read_xdm_pid($2)
>   	# gnome-session creates socket under /tmp/.ICE-unix/
> @@ -140,7 +141,7 @@ interface(`xserver_role',`
>   	gen_require(`
>   		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
>   		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> -		type mesa_shader_cache_t;
> +		type mesa_shader_cache_t, xdm_t;
>   	')
>   
>   	xserver_restricted_role($1, $2)
> @@ -183,6 +184,8 @@ interface(`xserver_role',`
>   
>   	xserver_read_xkb_libs($2)
>   
> +	allow $2 xdm_t:unix_stream_socket accept;
> +
>   	optional_policy(`
>   		xdg_manage_all_cache($2)
>   		xdg_relabel_all_cache($2)
> @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
>   	allow $1 xkb_var_lib_t:dir list_dir_perms;
>   	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
>   	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> +	allow $1 xkb_var_lib_t:file map;
>   ')
>   
>   ########################################
> Index: refpolicy-2.20200410/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20200410/policy/modules/services/dbus.if
> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>   
>   	allow $3 $1_dbusd_t:unix_stream_socket connectto;
>   	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> +	allow $1_dbusd_t $3:dbus send_msg;

Should go down in the next huk with the sigkill line.

>   	allow $3 $1_dbusd_t:fd use;
>   
>   	allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
> @@ -99,9 +100,13 @@ template(`dbus_role_template',`
>   
>   	allow $1_dbusd_t $3:process sigkill;
>   
> +	allow $1_dbusd_t self:process getcap;
> +
>   	corecmd_bin_domtrans($1_dbusd_t, $3)
>   	corecmd_shell_domtrans($1_dbusd_t, $3)
>   
> +	dev_read_sysfs($1_dbusd_t)
> +
>   	auth_use_nsswitch($1_dbusd_t)
>   
>   	ifdef(`hide_broken_symptoms',`
> @@ -109,8 +114,17 @@ template(`dbus_role_template',`
>   	')
>   
>   	optional_policy(`
> +		init_dbus_chat($1_dbusd_t)
> +		dbus_system_bus_client($1_dbusd_t)
> +	')
> +
> +	optional_policy(`
>   		systemd_read_logind_pids($1_dbusd_t)
>   	')
> +
> +	optional_policy(`
> +		xdg_read_data_files($1_dbusd_t)
> +	')
>   ')
>   
>   #######################################
> Index: refpolicy-2.20200410/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200410/policy/modules/services/ssh.if
> @@ -437,6 +437,7 @@ template(`ssh_role_template',`
>   		xserver_use_xdm_fds($1_ssh_agent_t)
>   		xserver_rw_xdm_pipes($1_ssh_agent_t)
>   		xserver_sigchld_xdm($1_ssh_agent_t)
> +		xserver_write_inherited_xsession_log($1_ssh_agent_t)
>   	')
>   ')
>   
> Index: refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
>   #
>   # bin_t is the type of files in the system bin/sbin directories.
>   #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
>   corecmd_executable_file(bin_t)
>   dev_associate(bin_t)	#For /dev/MAKEDEV
>   
> Index: refpolicy-2.20200410/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20200410/policy/modules/system/systemd.te
> @@ -38,10 +38,6 @@ type systemd_activate_t;
>   type systemd_activate_exec_t;
>   init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>   
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
>   type systemd_backlight_t;
>   type systemd_backlight_exec_t;
>   init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1259,6 +1255,7 @@ tunable_policy(`systemd_tmpfiles_manage_
>   ')
>   
>   optional_policy(`
> +	dbus_manage_lib_files(systemd_tmpfiles_t)
>   	dbus_read_lib_files(systemd_tmpfiles_t)
>   	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
>   ')
> Index: refpolicy-2.20200410/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20200410/policy/modules/services/cron.te
> @@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t)
>   kernel_getattr_message_if(system_cronjob_t)
>   
>   kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_fs_sysctls(system_cronjob_t)
>   kernel_read_irq_sysctls(system_cronjob_t)
>   kernel_read_kernel_sysctls(system_cronjob_t)
>   kernel_read_network_state(system_cronjob_t)
> Index: refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/apps/pulseaudio.te
> +++ refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> @@ -157,6 +157,7 @@ userdom_search_user_home_content(pulseau
>   userdom_manage_user_tmp_dirs(pulseaudio_t)
>   userdom_manage_user_tmp_files(pulseaudio_t)
>   userdom_manage_user_tmp_sockets(pulseaudio_t)
> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
>   
>   tunable_policy(`pulseaudio_execmem',`
>   	allow pulseaudio_t self:process execmem;
> 


-- 
Chris PeBenito