Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp137500pxb; Wed, 20 Jan 2021 03:18:29 -0800 (PST) X-Google-Smtp-Source: ABdhPJx2HNK4aGhD0hseRLB1woZRBaDKDB2ZetMI/uARCkLeHVtpmy4PFGOsReq1jJYdFhw5xGBs X-Received: by 2002:a17:907:1050:: with SMTP id oy16mr823229ejb.424.1611141509347; Wed, 20 Jan 2021 03:18:29 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1611141509; cv=none; d=google.com; s=arc-20160816; b=BB5u8n1mkAydEXodYMHfN8WJoZxLxoNK2LKJWW2Lh1N0vQ3aQYWF3wnbYTPyK6mNuX w5VsOAVs5BCuQMLN9Vqr2PuOGNnetUV4MoKjQtbqGWUDvQmHy2QCtv5hAn2zdqLwUEU2 jwsYnMR9PrR0PIO7tGUbfqpoV97VuWqcBL6mHX6YKgdleTtIrvar+BpgcJSJm7y+WZbH QG/7FcHqL16dRT0cAI0BtXybuKevgQ5X/lmBGOnurhtb57NhDdGXjlmjt/S+UwakgFVK /mygRUYMyYUoA+4WrK8g7OpsbfB29pX3ujOLPSjdHKChVNqqDkgqkQiKSy/JGppE004j C0Iw== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-disposition:mime-version:message-id :subject:to:from:date:dkim-signature; bh=2QzATrAbOls4WJeQkdrF8fituOx0PfAikrQ+zkr1aR4=; b=M5Ok2nyGtuhUtrVCdoy9Jqk2iX0l3pD6UfFsC7hfOv1CN4ILtm7ViBrvJA34kvWjkV aH3DWq7xCCJCIMZjT3ur3u8tPfN6IxNnto1k0YjawTMREnJe4Bdj9fLMspsRe8TPLDkw qgTaZ7x/SYM6+7pR89ouRS9U8X68w4VRaBakmapHQV8n2t5yG7h5pZdANkegt1bS+suj rci1iMbMIl0cz7NYdDTbRuigACLFRllrukNvcZ4vrF2Sl3MinEOViYPKVTJ+aWny+ZVP yEqR0R70qY0w+zKBmhK+9uL5xVSYOPTjMhxXfXtQwbE4UDHeC0ubXLxKBMWhnJu0LGoF kbVg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=QL8DDBSZ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id y13si691140edd.436.2021.01.20.03.18.24; Wed, 20 Jan 2021 03:18:29 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@coker.com.au header.s=2008 header.b=QL8DDBSZ; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730552AbhATLJt (ORCPT + 16 others); Wed, 20 Jan 2021 06:09:49 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:54890 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1731608AbhATKP0 (ORCPT ); Wed, 20 Jan 2021 05:15:26 -0500 Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:140:71f5::dada:cafe]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 3E55AC061575 for ; Wed, 20 Jan 2021 02:14:46 -0800 (PST) Received: from xev.coker.com.au (localhost [127.0.0.1]) by smtp.sws.net.au (Postfix) with ESMTP id BE2C0169E9 for ; Wed, 20 Jan 2021 21:14:42 +1100 (AEDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au; s=2008; t=1611137683; bh=2QzATrAbOls4WJeQkdrF8fituOx0PfAikrQ+zkr1aR4=; l=29157; h=Date:From:To:Subject:From; b=QL8DDBSZsIVXaT7i9tI9gEWuPgT6BdomNp+j1nint4qWp84MKDxsTbRsbm2YQ69VG wDn85PyFMO5q69biIz6dfFpCqH3vGI0hpHsry+MuWpmomR0iOxiklQ8Jts6Se/Ku9n k49Lndeaaufoz9CLx/Gcgp2suNd7rbuHBq6M/CME= Received: by xev.coker.com.au (Postfix, from userid 1001) id C2ADD131FC62; Wed, 20 Jan 2021 21:07:06 +1100 (AEDT) Date: Wed, 20 Jan 2021 21:07:06 +1100 From: Russell Coker To: selinux-refpolicy@vger.kernel.org Subject: [PATCH] misc kernel and system patches Message-ID: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Lots of little patches that should be good to merge. Signed-off-by: Russell Coker Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.fc =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.fc +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.fc @@ -305,7 +305,6 @@ ifdef(`distro_debian',` /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) -/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0) /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) Index: refpolicy-2.20210120/policy/modules/kernel/corecommands.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/corecommands.if +++ refpolicy-2.20210120/policy/modules/kernel/corecommands.if @@ -662,6 +662,7 @@ interface(`corecmd_read_all_executables' corecmd_search_bin($1) read_files_pattern($1, exec_type, exec_type) + allow $1 exec_type:file map; ') ######################################## Index: refpolicy-2.20210120/policy/modules/kernel/devices.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/devices.if +++ refpolicy-2.20210120/policy/modules/kernel/devices.if @@ -4323,6 +4323,42 @@ interface(`dev_mount_sysfs',` ######################################## ## +## remount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_remount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem remount; +') + +######################################## +## +## unmount a sysfs filesystem +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_unmount_sysfs',` + gen_require(` + type sysfs_t; + ') + + allow $1 sysfs_t:filesystem unmount; +') + +######################################## +## ## Do not audit getting the attributes of sysfs filesystem ## ## Index: refpolicy-2.20210120/policy/modules/kernel/domain.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/domain.if +++ refpolicy-2.20210120/policy/modules/kernel/domain.if @@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state ######################################## ## -## Get the attributes of all domains of all domains. +## Get the attributes of all domains ## ## ## Index: refpolicy-2.20210120/policy/modules/kernel/files.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/files.if +++ refpolicy-2.20210120/policy/modules/kernel/files.if @@ -5408,6 +5408,25 @@ interface(`files_delete_kernel_symbol_ta ######################################## ## +## Delete a system.map in the /boot directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_mounton_kernel_symbol_table',` + gen_require(` + type boot_t, system_map_t; + ') + + allow $1 boot_t:dir list_dir_perms; + allow $1 system_map_t:file mounton; +') + +######################################## +## ## Search the contents of /var. ## ## Index: refpolicy-2.20210120/policy/modules/kernel/selinux.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/selinux.if +++ refpolicy-2.20210120/policy/modules/kernel/selinux.if @@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',` ######################################## ## +## Mount on the selinuxfs filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`selinux_mounton_fs',` + gen_require(` + type security_t; + ') + + allow $1 security_t:dir mounton; +') + +######################################## +## ## Get the attributes of the selinuxfs filesystem ## ## Index: refpolicy-2.20210120/policy/modules/kernel/terminal.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/kernel/terminal.te +++ refpolicy-2.20210120/policy/modules/kernel/terminal.te @@ -31,6 +31,9 @@ fs_associate_tmpfs(devpts_t) fs_xattr_type(devpts_t) fs_use_trans devpts gen_context(system_u:object_r:devpts_t,s0); +# for systemd-nspawn +allow console_device_t devpts_t:filesystem associate; + # # devtty_t is the type of /dev/tty. # Index: refpolicy-2.20210120/policy/modules/system/authlogin.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/authlogin.te +++ refpolicy-2.20210120/policy/modules/system/authlogin.te @@ -98,12 +98,13 @@ optional_policy(` allow chkpwd_t self:capability { dac_override setuid }; dontaudit chkpwd_t self:capability sys_tty_config; -allow chkpwd_t self:process { getattr signal }; +allow chkpwd_t self:process { getcap getattr signal }; allow chkpwd_t shadow_t:file read_file_perms; files_list_etc(chkpwd_t) kernel_read_crypto_sysctls(chkpwd_t) +kernel_read_kernel_sysctls(chkpwd_t) domain_dontaudit_use_interactive_fds(chkpwd_t) @@ -116,6 +117,7 @@ files_read_etc_files(chkpwd_t) files_dontaudit_search_var(chkpwd_t) fs_dontaudit_getattr_xattr_fs(chkpwd_t) +fs_read_tmpfs_symlinks(chkpwd_t) selinux_get_enforce_mode(chkpwd_t) Index: refpolicy-2.20210120/policy/modules/system/fstools.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/fstools.te +++ refpolicy-2.20210120/policy/modules/system/fstools.te @@ -160,6 +160,8 @@ mount_exec(fsadm_t) # for /run/mount/utab mount_getattr_runtime_files(fsadm_t) +mount_rw_runtime_files(fsadm_t) + seutil_read_config(fsadm_t) userdom_use_user_terminals(fsadm_t) Index: refpolicy-2.20210120/policy/modules/system/init.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/init.if +++ refpolicy-2.20210120/policy/modules/system/init.if @@ -191,6 +191,24 @@ interface(`init_domain',` ######################################## ## +## Allow a domain to be transitioned to from init_t with nnp_transition +## +## +## +## Domain to transition +## +## +# +interface(`init_nnp_domain',` + gen_require(` + type init_t; + ') + + allow init_t $1:process2 nnp_transition; +') + +######################################## +## ## Create a domain which can be started by init, ## with a range transition. ## @@ -3029,6 +3047,24 @@ interface(`init_relabel_utmp',` ######################################## ## +## Watch utmp. +## +## +## +## Domain allowed access. +## +## +# +interface(`init_watch_utmp',` + gen_require(` + type initrc_runtime_t; + ') + + allow $1 initrc_runtime_t:file watch; +') + +######################################## +## ## Create files in /var/run with the ## utmp file type. ## @@ -3248,6 +3284,24 @@ interface(`init_read_pid_pipes',` init_read_runtime_pipes($1) ') +###################################### +## +## restart systemd units, for /run/systemd/transient/* +## +## +## +## Domain allowed access. +## +## +# +interface(`init_restart_units',` + gen_require(` + type init_var_run_t; + ') + + allow $1 init_var_run_t:service { start status stop }; +') + ######################################## ## ## Read init unnamed pipes. @@ -3575,6 +3629,24 @@ interface(`init_manage_all_unit_files',` ') ######################################## +## +## stat systemd unit files +## +## +## +## Domain allowed access. +## +## +# +interface(`init_getattr_all_unit_files',` + gen_require(` + attribute systemdunit; + ') + + allow $1 systemdunit:file getattr; +') + +######################################## ## ## Allow unconfined access to send instructions to init ## Index: refpolicy-2.20210120/policy/modules/system/init.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/init.te +++ refpolicy-2.20210120/policy/modules/system/init.te @@ -239,7 +239,8 @@ ifdef(`init_systemd',` allow init_t self:unix_stream_socket { create_stream_socket_perms connectto }; allow init_t self:netlink_audit_socket { nlmsg_relay create_socket_perms }; allow init_t self:netlink_selinux_socket create_socket_perms; - allow init_t self:system { status reboot halt reload }; + # why does kernel 4.9 make it need start and stop while 4.19 does not? + allow init_t self:system { start stop status reboot halt reload }; # Until systemd is fixed allow init_t self:udp_socket create_socket_perms; allow init_t self:netlink_route_socket create_netlink_socket_perms; @@ -1002,6 +1003,7 @@ ifdef(`enabled_mls',` ifdef(`init_systemd',` allow initrc_t init_t:system { start status reboot halt reload }; + allow init_t initrc_t:process2 nnp_transition; manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) @@ -1043,6 +1045,7 @@ ifdef(`init_systemd',` init_get_all_units_status(initrc_t) init_manage_var_lib_files(initrc_t) init_rw_stream_sockets(initrc_t) + init_stop_system(initrc_t) # Create /etc/audit.rules.prev after firstboot remediation logging_manage_audit_config(initrc_t) Index: refpolicy-2.20210120/policy/modules/system/locallogin.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/locallogin.te +++ refpolicy-2.20210120/policy/modules/system/locallogin.te @@ -125,7 +125,8 @@ auth_manage_pam_runtime_files(local_logi auth_manage_pam_console_data(local_login_t) auth_domtrans_pam_console(local_login_t) -init_dontaudit_use_fds(local_login_t) +# if local_login_t can not inherit fd from init it takes ages to login +init_use_fds(local_login_t) miscfiles_read_localization(local_login_t) Index: refpolicy-2.20210120/policy/modules/system/logging.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/logging.te +++ refpolicy-2.20210120/policy/modules/system/logging.te @@ -515,7 +515,8 @@ ifdef(`init_systemd',` # for systemd-journal allow syslogd_t self:netlink_audit_socket connected_socket_perms; allow syslogd_t self:capability2 audit_read; - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; + allow syslogd_t self:capability { chown dac_read_search setgid setuid sys_ptrace audit_control }; + allow syslogd_t self:cap_userns sys_ptrace; allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; # remove /run/log/journal when switching to permanent storage @@ -533,6 +534,7 @@ ifdef(`init_systemd',` domain_getattr_all_domains(syslogd_t) domain_read_all_domains_state(syslogd_t) + domain_signull_all_domains(syslogd_t) init_create_runtime_dirs(syslogd_t) init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd") Index: refpolicy-2.20210120/policy/modules/system/lvm.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/lvm.if +++ refpolicy-2.20210120/policy/modules/system/lvm.if @@ -247,3 +247,21 @@ interface(`lvm_admin',` files_search_tmp($1) admin_pattern($1, lvm_tmp_t) ') + +###################################### +## +## Allow lvm_t to use a semaphore +## +## +## +## Domain that created the semaphore +## +## +# +interface(`lvm_use_sem',` + gen_require(` + type lvm_t; + ') + + allow lvm_t $1:sem all_sem_perms; +') Index: refpolicy-2.20210120/policy/modules/system/lvm.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/lvm.te +++ refpolicy-2.20210120/policy/modules/system/lvm.te @@ -345,6 +345,8 @@ optional_policy(` ') optional_policy(` + apt_use_fds(lvm_t) + dpkg_script_rw_pipes(lvm_t) ') Index: refpolicy-2.20210120/policy/modules/system/miscfiles.fc =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/miscfiles.fc +++ refpolicy-2.20210120/policy/modules/system/miscfiles.fc @@ -14,6 +14,8 @@ ifdef(`distro_gentoo',` /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) /etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) +/etc/ssl/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) +/etc/letsencrypt(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) ifdef(`distro_debian',` Index: refpolicy-2.20210120/policy/modules/system/modutils.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/modutils.te +++ refpolicy-2.20210120/policy/modules/system/modutils.te @@ -33,7 +33,7 @@ ifdef(`init_systemd',` # insmod local policy # -allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; +allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config }; allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; # for the radeon/amdgpu modules dontaudit kmod_t self:capability sys_admin; @@ -99,6 +99,7 @@ fs_getattr_xattr_fs(kmod_t) fs_dontaudit_use_tmpfs_chr_dev(kmod_t) fs_search_tracefs(kmod_t) +init_nnp_domain(kmod_t) init_rw_initctl(kmod_t) init_use_fds(kmod_t) init_use_script_fds(kmod_t) @@ -138,6 +139,8 @@ optional_policy(` dpkg_manage_script_tmp_files(kmod_t) dpkg_map_script_tmp_files(kmod_t) dpkg_read_script_tmp_symlinks(kmod_t) + apt_use_fds(kmod_t) + apt_use_ptys(kmod_t) ') optional_policy(` Index: refpolicy-2.20210120/policy/modules/system/mount.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/mount.te +++ refpolicy-2.20210120/policy/modules/system/mount.te @@ -219,6 +219,14 @@ optional_policy(` samba_run_smbmount(mount_t, mount_roles) ') +optional_policy(` + ssh_rw_pipes(mount_t) +') + +optional_policy(` + xen_read_image_files(mount_t) +') + ######################################## # # Unconfined mount local policy Index: refpolicy-2.20210120/policy/modules/system/raid.fc =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/raid.fc +++ refpolicy-2.20210120/policy/modules/system/raid.fc @@ -11,6 +11,8 @@ /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) /usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) + # Systemd unit files /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) Index: refpolicy-2.20210120/policy/modules/system/raid.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/raid.te +++ refpolicy-2.20210120/policy/modules/system/raid.te @@ -54,6 +54,7 @@ dev_dontaudit_getattr_all_blk_files(mdad dev_dontaudit_getattr_all_chr_files(mdadm_t) dev_read_realtime_clock(mdadm_t) +domain_dontaudit_search_all_domains_state(mdadm_t) domain_use_interactive_fds(mdadm_t) files_read_etc_files(mdadm_t) @@ -90,6 +91,7 @@ userdom_dontaudit_use_user_terminals(mda optional_policy(` cron_system_entry(mdadm_t, mdadm_exec_t) + cron_rw_tmp_files(mdadm_t) ') optional_policy(` Index: refpolicy-2.20210120/policy/modules/system/systemd.fc =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/systemd.fc +++ refpolicy-2.20210120/policy/modules/system/systemd.fc @@ -5,7 +5,6 @@ /run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) -/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) /usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0) Index: refpolicy-2.20210120/policy/modules/system/systemd.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/systemd.te +++ refpolicy-2.20210120/policy/modules/system/systemd.te @@ -355,10 +355,11 @@ ifdef(`enable_mls',` # allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; -allow systemd_coredump_t self:capability { setgid setuid setpcap }; +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; allow systemd_coredump_t self:process { getcap setcap setfscreate }; manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) +allow systemd_coredump_t systemd_coredump_var_lib_t:file map; kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t) kernel_read_kernel_sysctls(systemd_coredump_t) @@ -376,6 +377,7 @@ files_read_etc_files(systemd_coredump_t) files_search_var_lib(systemd_coredump_t) fs_getattr_xattr_fs(systemd_coredump_t) +fs_search_tmpfs(systemd_coredump_t) selinux_getattr_fs(systemd_coredump_t) @@ -397,6 +399,8 @@ allow systemd_generator_t self:fifo_file allow systemd_generator_t self:capability dac_override; allow systemd_generator_t self:process setfscreate; +allow systemd_generator_t systemd_unit_t:file getattr; + corecmd_getattr_bin_files(systemd_generator_t) dev_read_sysfs(systemd_generator_t) @@ -407,6 +411,7 @@ files_read_etc_files(systemd_generator_t files_search_runtime(systemd_generator_t) files_list_boot(systemd_generator_t) files_read_boot_files(systemd_generator_t) +files_read_config_files(systemd_generator_t) files_search_all_mountpoints(systemd_generator_t) files_list_usr(systemd_generator_t) @@ -414,6 +419,8 @@ fs_list_efivars(systemd_generator_t) fs_getattr_xattr_fs(systemd_generator_t) init_create_runtime_files(systemd_generator_t) +init_read_all_script_files(systemd_generator_t) +init_getattr_all_unit_files(systemd_generator_t) init_manage_runtime_dirs(systemd_generator_t) init_manage_runtime_symlinks(systemd_generator_t) init_read_runtime_files(systemd_generator_t) @@ -618,12 +625,17 @@ init_dbus_send_script(systemd_logind_t) init_get_all_units_status(systemd_logind_t) init_get_system_status(systemd_logind_t) init_read_utmp(systemd_logind_t) +init_restart_units(systemd_logind_t) init_service_start(systemd_logind_t) init_service_status(systemd_logind_t) init_start_all_units(systemd_logind_t) init_stop_all_units(systemd_logind_t) init_start_system(systemd_logind_t) init_stop_system(systemd_logind_t) +init_watch_utmp(systemd_logind_t) + +# for /run/systemd/transient/* +init_restart_units(systemd_logind_t) locallogin_read_state(systemd_logind_t) @@ -880,6 +892,9 @@ allow systemd_nspawn_t self:capability { allow systemd_nspawn_t self:capability2 wake_alarm; allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms; +allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms; +allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms; +allow systemd_nspawn_t self:udp_socket { create ioctl }; allow systemd_nspawn_t systemd_journal_t:dir search; @@ -916,6 +931,9 @@ dev_getattr_fs(systemd_nspawn_t) dev_manage_sysfs_dirs(systemd_nspawn_t) dev_mounton_sysfs_dirs(systemd_nspawn_t) dev_mount_sysfs(systemd_nspawn_t) +dev_remount_sysfs(systemd_nspawn_t) +dev_unmount_sysfs(systemd_nspawn_t) +dev_read_sysfs(systemd_nspawn_t) dev_read_rand(systemd_nspawn_t) dev_read_urand(systemd_nspawn_t) @@ -928,6 +946,7 @@ files_mounton_tmp(systemd_nspawn_t) files_read_kernel_symbol_table(systemd_nspawn_t) files_setattr_runtime_dirs(systemd_nspawn_t) +fs_getattr_cgroup(systemd_nspawn_t) fs_getattr_tmpfs(systemd_nspawn_t) fs_manage_tmpfs_chr_files(systemd_nspawn_t) fs_mount_tmpfs(systemd_nspawn_t) @@ -951,6 +970,7 @@ init_write_runtime_socket(systemd_nspawn init_spec_domtrans_script(systemd_nspawn_t) miscfiles_manage_localization(systemd_nspawn_t) +udev_read_runtime_files(systemd_nspawn_t) # for writing inside chroot sysnet_manage_config(systemd_nspawn_t) @@ -967,8 +987,14 @@ tunable_policy(`systemd_nspawn_labeled_n # manage etc symlinks for /etc/localtime files_manage_etc_symlinks(systemd_nspawn_t) files_mounton_runtime_dirs(systemd_nspawn_t) + files_mounton_kernel_symbol_table(systemd_nspawn_t) files_search_home(systemd_nspawn_t) + files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file) + allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms; + fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file) + allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms; + fs_getattr_cgroup(systemd_nspawn_t) fs_manage_cgroup_dirs(systemd_nspawn_t) fs_manage_tmpfs_dirs(systemd_nspawn_t) @@ -986,6 +1012,7 @@ tunable_policy(`systemd_nspawn_labeled_n selinux_getattr_fs(systemd_nspawn_t) selinux_remount_fs(systemd_nspawn_t) selinux_search_fs(systemd_nspawn_t) + selinux_mounton_fs(systemd_nspawn_t) init_domtrans(systemd_nspawn_t) @@ -1013,7 +1040,7 @@ optional_policy(` # systemd_passwd_agent_t local policy # -allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource }; allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; @@ -1024,14 +1051,19 @@ manage_sock_files_pattern(systemd_passwd manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file }) +can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) + kernel_read_system_state(systemd_passwd_agent_t) kernel_stream_connect(systemd_passwd_agent_t) dev_create_generic_dirs(systemd_passwd_agent_t) dev_read_generic_files(systemd_passwd_agent_t) +dev_read_sysfs(systemd_passwd_agent_t) +dev_write_sysfs_dirs(systemd_passwd_agent_t) dev_write_generic_sock_files(systemd_passwd_agent_t) dev_write_kmsg(systemd_passwd_agent_t) +corecmd_search_bin(systemd_passwd_agent_t) files_read_etc_files(systemd_passwd_agent_t) fs_getattr_xattr_fs(systemd_passwd_agent_t) @@ -1040,6 +1072,7 @@ selinux_get_enforce_mode(systemd_passwd_ selinux_getattr_fs(systemd_passwd_agent_t) term_read_console(systemd_passwd_agent_t) +term_use_unallocated_ttys(systemd_passwd_agent_t) auth_use_nsswitch(systemd_passwd_agent_t) @@ -1100,6 +1133,8 @@ logging_send_syslog_msg(systemd_pstore_t allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt }; +allow systemd_rfkill_t self:netlink_kobject_uevent_socket client_stream_socket_perms; + manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) init_var_lib_filetrans(systemd_rfkill_t, systemd_rfkill_var_lib_t, dir) @@ -1264,6 +1299,8 @@ allow systemd_tmpfiles_t systemd_journal allow systemd_tmpfiles_t systemd_tmpfiles_conf_t:dir list_dir_perms; allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink; + kernel_getattr_proc(systemd_tmpfiles_t) kernel_read_kernel_sysctls(systemd_tmpfiles_t) kernel_read_network_state(systemd_tmpfiles_t) @@ -1495,6 +1532,8 @@ systemd_dbus_chat_logind(systemd_user_ru seutil_read_file_contexts(systemd_user_runtime_dir_t) seutil_libselinux_linked(systemd_user_runtime_dir_t) +userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) +userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) userdom_search_user_runtime_root(systemd_user_runtime_dir_t) userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) Index: refpolicy-2.20210120/policy/modules/system/udev.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/udev.te +++ refpolicy-2.20210120/policy/modules/system/udev.te @@ -145,6 +145,7 @@ selinux_compute_access_vector(udev_t) selinux_compute_create_context(udev_t) selinux_compute_relabel_context(udev_t) selinux_compute_user_contexts(udev_t) +selinux_use_status_page(udev_t) storage_watch_fixed_disk(udev_t) @@ -351,6 +352,7 @@ optional_policy(` optional_policy(` raid_domtrans_mdadm(udev_t) + raid_read_mdadm_runtime_files(udev_t) ') optional_policy(` @@ -400,6 +402,10 @@ allow udevadm_t udev_runtime_t:dir watch dev_rw_sysfs(udevadm_t) dev_read_urand(udevadm_t) +fs_getattr_cgroup(udevadm_t) +fs_getattr_tmpfs(udevadm_t) +fs_search_cgroup_dirs(udevadm_t) + files_read_etc_files(udevadm_t) files_read_usr_files(udevadm_t) Index: refpolicy-2.20210120/policy/modules/system/unconfined.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.if +++ refpolicy-2.20210120/policy/modules/system/unconfined.if @@ -38,7 +38,7 @@ interface(`unconfined_domain_noaudit',` # Use most Linux capabilities allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; - allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm }; + allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon }; allow $1 self:fifo_file manage_fifo_file_perms; # Transition to myself, to make get_ordered_context_list happy. Index: refpolicy-2.20210120/policy/modules/system/unconfined.te =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/unconfined.te +++ refpolicy-2.20210120/policy/modules/system/unconfined.te @@ -83,6 +83,10 @@ optional_policy(` ') optional_policy(` + certbot_run(unconfined_t, unconfined_r) +') + +optional_policy(` cron_unconfined_role(unconfined_r, unconfined_t) ') @@ -121,6 +125,7 @@ optional_policy(` optional_policy(` lvm_run(unconfined_t, unconfined_r) + lvm_use_sem(unconfined_t) ') optional_policy(` Index: refpolicy-2.20210120/policy/modules/system/userdomain.if =================================================================== --- refpolicy-2.20210120.orig/policy/modules/system/userdomain.if +++ refpolicy-2.20210120/policy/modules/system/userdomain.if @@ -2167,6 +2167,8 @@ interface(`userdom_read_user_home_conten ') read_files_pattern($1, { user_home_dir_t user_home_t }, user_home_t) + allow $1 user_home_t:file map; + allow $1 user_home_t:lnk_file read_lnk_file_perms; files_search_home($1) ')