Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Date:   Mon, 1 Feb 2021 15:57:13 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] new version of filetrans patch
Message-ID: <YBeKKR5cmQe+MTRA@xev>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk

Name changes suggested by Dominick and some more additions.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210130/policy/modules/system/authlogin.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/authlogin.if
+++ refpolicy-2.20210130/policy/modules/system/authlogin.if
@@ -713,13 +713,18 @@ interface(`auth_manage_shadow',`
 ##	Domain allowed access.
 ##	</summary>
 ## </param>
+## <param name="name" optional="true">
+##      <summary>
+##      The name of the object being created.
+##      </summary>
+## </param>
 #
 interface(`auth_etc_filetrans_shadow',`
 	gen_require(`
 		type shadow_t;
 	')
 
-	files_etc_filetrans($1, shadow_t, file)
+	files_etc_filetrans($1, shadow_t, file, $2)
 ')
 
 #######################################
Index: refpolicy-2.20210130/policy/modules/admin/dpkg.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/admin/dpkg.te
+++ refpolicy-2.20210130/policy/modules/admin/dpkg.te
@@ -276,6 +276,7 @@ term_use_all_terms(dpkg_script_t)
 
 files_manage_non_auth_files(dpkg_script_t)
 
+auth_etc_filetrans_shadow(dpkg_script_t, "shadow.upwd-write")
 auth_manage_shadow(dpkg_script_t)
 
 init_all_labeled_script_domtrans(dpkg_script_t)
@@ -307,10 +308,20 @@ optional_policy(`
 ')
 
 optional_policy(`
+	aptcacher_filetrans_cache_dir(dpkg_script_t)
+	aptcacher_filetrans_conf_dir(dpkg_script_t)
+	aptcacher_filetrans_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
 	bootloader_run(dpkg_script_t, dpkg_roles)
 ')
 
 optional_policy(`
+	clamav_filetrans_log(dpkg_script_t)
+')
+
+optional_policy(`
 	devicekit_dbus_chat_power(dpkg_script_t)
 ')
 
@@ -319,6 +330,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	milter_filetrans_spamass_state(dpkg_script_t)
+')
+
+optional_policy(`
 	modutils_run(dpkg_script_t, dpkg_roles)
 ')
 
@@ -327,6 +342,11 @@ optional_policy(`
 ')
 
 optional_policy(`
+	mysql_create_db_dir(dpkg_script_t)
+	mysql_create_log_dir(dpkg_script_t)
+')
+
+optional_policy(`
 	nis_use_ypbind(dpkg_script_t)
 ')
 
Index: refpolicy-2.20210130/policy/modules/services/mysql.fc
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.fc
+++ refpolicy-2.20210130/policy/modules/services/mysql.fc
@@ -25,8 +25,8 @@ HOME_DIR/\.my\.cnf	--	gen_context(system
 /var/lib/mysql(/.*)?	gen_context(system_u:object_r:mysqld_db_t,s0)
 /var/lib/mysql/mysql.*	-s	gen_context(system_u:object_r:mysqld_runtime_t,s0)
 
-/var/log/mariadb(/.*)?	gen_context(system_u:object_r:mysqld_log_t,s0)
-/var/log/mysql.*	--	gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mariadb(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)
+/var/log/mysql(/.*)?		gen_context(system_u:object_r:mysqld_log_t,s0)
 
 /run/mysqld.*	gen_context(system_u:object_r:mysqld_runtime_t,s0)
 /run/mysqlmanager.*	--	gen_context(system_u:object_r:mysqlmanagerd_runtime_t,s0)
Index: refpolicy-2.20210130/policy/modules/services/mysql.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/mysql.if
+++ refpolicy-2.20210130/policy/modules/services/mysql.if
@@ -243,6 +243,24 @@ interface(`mysql_manage_db_files',`
 
 ########################################
 ## <summary>
+##	create mysqld db dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_create_db_dir',`
+	gen_require(`
+		type mysqld_db_t;
+	')
+
+	files_var_lib_filetrans($1, mysqld_db_t, dir, "mysql")
+')
+
+########################################
+## <summary>
 ##	Create, read, write, and delete
 ##	mysqld home files.
 ## </summary>
@@ -325,9 +343,29 @@ interface(`mysql_write_log',`
 	')
 
 	logging_search_logs($1)
+	allow $1 mysqld_log_t:dir search_dir_perms;
 	allow $1 mysqld_log_t:file write_file_perms;
 ')
 
+########################################
+## <summary>
+##	create mysqld log dir.
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`mysql_create_log_dir',`
+	gen_require(`
+		type mysqld_log_t;
+	')
+
+	logging_search_logs($1)
+	logging_log_filetrans($1, mysqld_log_t, dir, "mysql")
+')
+
 ######################################
 ## <summary>
 ##	Execute mysqld safe in the
Index: refpolicy-2.20210130/policy/modules/services/clamav.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/clamav.if
+++ refpolicy-2.20210130/policy/modules/services/clamav.if
@@ -430,3 +430,39 @@ interface(`clamav_admin',`
 	files_list_tmp($1)
 	admin_pattern($1, { clamd_tmp_t clamscan_tmp_t })
 ')
+
+########################################
+## <summary>
+##	specified domain creates /var/log/clamav/freshclam.log with correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_filetrans_log',`
+	gen_require(`
+		type clamd_var_log_t, freshclam_var_log_t;
+	')
+
+	filetrans_pattern($1, clamd_var_log_t, freshclam_var_log_t, file, "freshclam.log")
+')
+
+########################################
+## <summary>
+##	specified domain creates /run/clamav with correct type
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`clamav_filetrans_runtime_dir',`
+	gen_require(`
+		type clamd_runtime_t;
+	')
+
+	files_runtime_filetrans($1, clamd_runtime_t, dir, "clamav")
+')
Index: refpolicy-2.20210130/policy/modules/services/aptcacher.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/aptcacher.if
+++ refpolicy-2.20210130/policy/modules/services/aptcacher.if
@@ -63,3 +63,57 @@ interface(`aptcacher_stream_connect',`
 	files_search_runtime($1)
 	stream_connect_pattern($1, aptcacher_runtime_t, aptcacher_runtime_t, aptcacher_t)
 ')
+
+########################################
+## <summary>
+##	create /var/log/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_filetrans_log_dir',`
+	gen_require(`
+		type aptcacher_log_t;
+	')
+
+	logging_log_filetrans($1, aptcacher_log_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+##	create /var/cache/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_filetrans_cache_dir',`
+	gen_require(`
+		type aptcacher_cache_t;
+	')
+
+	files_var_filetrans($1, aptcacher_cache_t, dir, "apt-cacher-ng")
+')
+
+########################################
+## <summary>
+##	create /etc/apt-cacher-ng
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`aptcacher_filetrans_conf_dir',`
+	gen_require(`
+		type aptcacher_conf_t;
+	')
+
+	files_etc_filetrans($1, aptcacher_conf_t, dir, "apt-cacher-ng")
+')
Index: refpolicy-2.20210130/policy/modules/services/ftp.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/ftp.if
+++ refpolicy-2.20210130/policy/modules/services/ftp.if
@@ -189,3 +189,21 @@ interface(`ftp_admin',`
 
 	ftp_run_ftpdctl($1, $2)
 ')
+
+########################################
+## <summary>
+##	create /run/pure-ftpd
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`ftp_filetrans_pure_ftpd_runtime',`
+	gen_require(`
+		type ftpd_runtime_t;
+	')
+
+	files_runtime_filetrans($1, ftpd_runtime_t, dir, "pure-ftpd")
+')
Index: refpolicy-2.20210130/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/init.te
+++ refpolicy-2.20210130/policy/modules/system/init.te
@@ -1094,6 +1094,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	clamav_filetrans_runtime_dir(initrc_t)
 	clamav_read_config(initrc_t)
 ')
 
@@ -1287,6 +1288,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	ftp_filetrans_pure_ftpd_runtime(initrc_t)
+')
+
+optional_policy(`
 	rpc_read_exports(initrc_t)
 ')
 
Index: refpolicy-2.20210130/policy/modules/services/milter.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/services/milter.if
+++ refpolicy-2.20210130/policy/modules/services/milter.if
@@ -100,6 +100,24 @@ interface(`milter_manage_spamass_state',
 
 ########################################
 ## <summary>
+##	create spamass milter state dir
+## </summary>
+## <param name="domain">
+##	<summary>
+##	Domain allowed access.
+##	</summary>
+## </param>
+#
+interface(`milter_filetrans_spamass_state',`
+	gen_require(`
+		type spamass_milter_state_t;
+	')
+
+	files_var_lib_filetrans($1, spamass_milter_state_t, dir, "spamass-milter")
+')
+
+########################################
+## <summary>
 ##	Get the attributes of the spamassissin milter data dir.
 ## </summary>
 ## <param name="domain">
Index: refpolicy-2.20210130/policy/modules/system/unconfined.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/unconfined.te
+++ refpolicy-2.20210130/policy/modules/system/unconfined.te
@@ -67,6 +67,7 @@ ifdef(`init_systemd',`
 
 	optional_policy(`
 		systemd_dbus_chat_resolved(unconfined_t)
+		systemd_filetrans_passwd_runtime_dirs(unconfined_t)
 	')
 ')
 
Index: refpolicy-2.20210130/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210130/policy/modules/roles/sysadm.te
@@ -99,6 +99,7 @@ ifdef(`init_systemd',`
 	# LookupDynamicUserByUID on org.freedesktop.systemd1.
 	init_dbus_chat(sysadm_t)
 
+	systemd_run_passwd_agent(sysadm_t, sysadm_r)
 	systemd_watch_passwd_runtime_dirs(sysadm_t)
 ')
 
Index: refpolicy-2.20210130/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20210130.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20210130/policy/modules/system/systemd.if
@@ -623,6 +623,31 @@ interface(`systemd_use_passwd_agent_fds'
 	allow systemd_passwd_agent_t $1:fd use;
 ')
 
+########################################
+## <summary>
+##      allow systemd_passwd_agent to be run by admin
+## </summary>
+## <param name="domain">
+##      <summary>
+##      Domain that runs it
+##      </summary>
+## </param>
+## <param name="role">
+##      <summary>
+##      role that it runs in
+##      </summary>
+## </param>
+#
+interface(`systemd_run_passwd_agent',`
+	gen_require(`
+		type systemd_passwd_agent_t, systemd_passwd_agent_exec_t;
+	')
+
+	domain_auto_transition_pattern($1, systemd_passwd_agent_exec_t, systemd_passwd_agent_t)
+	allow systemd_passwd_agent_t $1:fd use;
+	role $2 types systemd_passwd_agent_t;
+')
+
 #######################################
 ## <summary>
 ##	Allow a systemd_passwd_agent_t process to interact with a daemon