Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Wed, 20 Jan 2021 21:17:17 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] latest memlockd patch
Message-ID: <YAgDLZznabfyzIaJ@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

Includes the ifndef(`distro_debian' section that was requested.  Should be
ready for merging now.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20201205/policy/modules/services/memlockd.fc
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.fc
@@ -0,0 +1 @@
+/usr/sbin/memlockd	--	gen_context(system_u:object_r:memlockd_exec_t,s0)
Index: refpolicy-2.20201205/policy/modules/services/memlockd.if
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.if
@@ -0,0 +1,2 @@
+## <summary>memory lock daemon, keeps important files in RAM.</summary>
+
Index: refpolicy-2.20201205/policy/modules/services/memlockd.te
===================================================================
--- /dev/null
+++ refpolicy-2.20201205/policy/modules/services/memlockd.te
@@ -0,0 +1,39 @@
+policy_module(memlockd, 1.0.0)
+
+########################################
+#
+# Declarations
+#
+
+type memlockd_t;
+type memlockd_exec_t;
+init_daemon_domain(memlockd_t, memlockd_exec_t)
+
+########################################
+#
+# Local policy
+#
+
+allow memlockd_t self:capability { setgid setuid ipc_lock };
+ifndef(`distro_debian', `
+allow memlockd_t self:capability dac_read_search;
+')
+allow memlockd_t self:fifo_file rw_file_perms;
+
+# cache /etc/shadow too
+auth_read_shadow(memlockd_t)
+auth_map_shadow(memlockd_t)
+
+corecmd_exec_all_executables(memlockd_t)
+corecmd_exec_bin(memlockd_t)
+corecmd_exec_shell(memlockd_t)
+corecmd_read_all_executables(memlockd_t)
+corecmd_search_bin(memlockd_t)
+files_read_etc_files(memlockd_t)
+libs_exec_ld_so(memlockd_t)
+files_map_etc_files(memlockd_t)
+
+logging_send_syslog_msg(memlockd_t)
+miscfiles_read_localization(memlockd_t)
+
+sysnet_mmap_read_config(memlockd_t)
Index: refpolicy-2.20201205/policy/modules/system/sysnetwork.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/sysnetwork.if
+++ refpolicy-2.20201205/policy/modules/system/sysnetwork.if
@@ -393,6 +393,31 @@ interface(`sysnet_mmap_config_files',`
 
 #######################################
 ## <summary>
+##	map network config files.
+## </summary>
+## <desc>
+##	<p>
+##	Allow the specified domain to mmap the
+##	general network configuration files.
+##	</p>
+## </desc>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`sysnet_mmap_read_config',`
+	gen_require(`
+		type net_conf_t;
+	')
+
+	files_search_etc($1)
+	allow $1 net_conf_t:file mmap_read_file_perms;
+')
+
+#######################################
+## <summary>
 ##	Do not audit attempts to read network config files.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20201205/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20201205.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20201205/policy/modules/system/authlogin.if
@@ -577,6 +577,23 @@ interface(`auth_read_shadow',`
 
 ########################################
 ## <summary>
+##	Map the shadow passwords file (/etc/shadow)
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`auth_map_shadow',`
+	gen_require(`
+		type shadow_t;
+	')
+	allow $1 shadow_t:file map;
+')
+
+########################################
+## <summary>
 ##	Pass shadow assertion for reading.
 ## </summary>
 ## <desc>