Received: by 2002:a05:6a10:8c0a:0:0:0:0 with SMTP id go10csp482090pxb; Wed, 3 Feb 2021 09:53:40 -0800 (PST) X-Google-Smtp-Source: ABdhPJwiRqMHsoHKMtGMAxMpiVuiu7oAVe/v0kep+3oEkO3Mazes0VyMu0BvbrdjDvACAu7pyBd7 X-Received: by 2002:a17:907:9801:: with SMTP id ji1mr4237531ejc.420.1612374819843; Wed, 03 Feb 2021 09:53:39 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1612374819; cv=none; d=google.com; s=arc-20160816; b=ejQ8CLfmk8js+u5oaQW/37ITM5MvzhJ8T8GR4Vfy0PGsBp/Jg1vW6zr6DerRetoNAU d2PQ2xVhgNN3lSmi5v1okdKF92xvKRGAxJ1LgfUbLnSEF5jh5VWgdfFjg3fdSW/PKPwT RVKlls/KC8Q44nlc0KuQhWSUVi93NMCTbGLza2y/WxfjqGw5jyu5ikEyzod38LMjizJn ikcDkAxF1bDF/FI8AvoJQ+VHcc3Cbn4mQbFPfc7QDaBp5iSnqMRSyy04CnwNUiMBKrF/ cdwI04/viFOCXtoc9BLT3fBpez9mJyFplB1fyF6FZI5gffXXuW6lT22ff3rk+TsyakSm 9UVQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:user-agent:message-id:in-reply-to :date:references:subject:cc:to:from:dkim-signature:dkim-filter; bh=1yYSTZuayyhdgT+h12gY1yPu53zK/Ov0bOiwAt5qGD8=; b=E6Nxg4pBgkxIu+sBRmUUUAS5aRtzxEnHPrZXQStztQUDb4xBJjHgq1cIfphNedrJnb nn60Ifha+jXHEFtdptf5RWbg17UK/NeWRNS2UmqMOZcWrQTmXxqfI4WOqWr6BM84VzcQ 6452WJDrWbmeGxeWej5XOcXbr38WCzKyYuhrr4AV27N7Ylwe/MxGtLqmnK3NrBqqjGNp E7ZOM85joJ2+0gkkwx7jM1YbrsaVJ8R2BPfP9zSteFfu1giVXFtZ0fWkIHmrI2AXitUK o9+p77Nz81g+WegjbbYFOc12I1ugFuqS8jxdzsoCnNjSIrBTg3I4nF9yUc/9Xaz/chEQ pGXg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=Fs1A+KeH; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id j25si1858357ejy.187.2021.02.03.09.53.33; Wed, 03 Feb 2021 09:53:39 -0800 (PST) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@defensec.nl header.s=default header.b=Fs1A+KeH; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S231906AbhBCRvp (ORCPT + 16 others); Wed, 3 Feb 2021 12:51:45 -0500 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:42496 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S231540AbhBCRvo (ORCPT ); Wed, 3 Feb 2021 12:51:44 -0500 Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 102E6C061573 for ; Wed, 3 Feb 2021 09:51:03 -0800 (PST) Received: from brutus (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 2F45E2A16E8; Wed, 3 Feb 2021 18:50:58 +0100 (CET) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 2F45E2A16E8 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1612374658; bh=1yYSTZuayyhdgT+h12gY1yPu53zK/Ov0bOiwAt5qGD8=; h=From:To:Cc:Subject:References:Date:In-Reply-To:From; b=Fs1A+KeHwaVmp9HkTutom0FsyfaLCEM41cz83an3rFYJaXYmlDwOoFEVkwTN+98LC Ltd1AeSkqJEKDHKtu/WH8P+GtU5tDOBolcyu2IcgtbkE7I4hF5Ka4/UZE/UnZNhS9V YdyUDPMr7sosetwSfZI+oQJcKSQpvA80C+ojDkB8= From: Dominick Grift To: Russell Coker Cc: selinux-refpolicy@vger.kernel.org Subject: Re: [PATCH] little misc patches References: Date: Wed, 03 Feb 2021 18:50:55 +0100 In-Reply-To: (Russell Coker's message of "Wed, 3 Feb 2021 15:10:02 +1100") Message-ID: User-Agent: Gnus/5.13 (Gnus v5.13) Emacs/27.1 (gnu/linux) MIME-Version: 1.0 Content-Type: text/plain Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russell Coker writes: > More little misc patches. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210203/policy/modules/admin/acct.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/acct.te > +++ refpolicy-2.20210203/policy/modules/admin/acct.te > @@ -57,6 +57,7 @@ init_use_fds(acct_t) > init_use_script_ptys(acct_t) > init_exec_script_files(acct_t) > > +logging_search_logs(acct_t) > logging_send_syslog_msg(acct_t) > > miscfiles_read_localization(acct_t) > Index: refpolicy-2.20210203/policy/modules/admin/bootloader.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/bootloader.te > +++ refpolicy-2.20210203/policy/modules/admin/bootloader.te > @@ -44,6 +44,7 @@ dev_node(bootloader_tmp_t) > allow bootloader_t self:capability { chown dac_override dac_read_search fsetid mknod setgid sys_admin sys_rawio }; > allow bootloader_t self:process { signal_perms execmem }; > allow bootloader_t self:fifo_file rw_fifo_file_perms; > +allow bootloader_t self:netlink_selinux_socket > connected_socket_perms; this can be dontaudited (or even just removed) because the status_page api falls back to this if the file cannot be mapped, but since you allow the map below this is not needed and so this should no longer be triggered > > allow bootloader_t bootloader_etc_t:file read_file_perms; > # uncomment the following lines if you use "lilo -p" > @@ -61,6 +62,7 @@ allow bootloader_t bootloader_tmp_t:dir > files_root_filetrans(bootloader_t, bootloader_tmp_t, file) > > kernel_getattr_core_if(bootloader_t) > +kernel_read_crypto_sysctls(bootloader_t) > kernel_read_network_state(bootloader_t) > kernel_read_system_state(bootloader_t) > kernel_read_software_raid_state(bootloader_t) > @@ -152,8 +154,12 @@ miscfiles_read_localization(bootloader_t > > mount_rw_runtime_files(bootloader_t) > > +selinux_get_enforce_mode(bootloader_t) > selinux_getattr_fs(bootloader_t) > +selinux_search_fs(bootloader_t) > +selinux_use_status_page(bootloader_t) > seutil_read_bin_policy(bootloader_t) > +seutil_read_config(bootloader_t) > seutil_read_file_contexts(bootloader_t) > seutil_read_loadpolicy(bootloader_t) > seutil_dontaudit_search_config(bootloader_t) > Index: refpolicy-2.20210203/policy/modules/admin/brctl.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/brctl.te > +++ refpolicy-2.20210203/policy/modules/admin/brctl.te > @@ -17,7 +17,7 @@ role brctl_roles types brctl_t; > # Local policy > # > > -allow brctl_t self:capability net_admin; > +allow brctl_t self:capability { net_admin sys_module }; use the appropriate interface for loading kernel modules instead > allow brctl_t self:fifo_file rw_fifo_file_perms; > allow brctl_t self:unix_stream_socket create_stream_socket_perms; > allow brctl_t self:unix_dgram_socket create_socket_perms; > Index: refpolicy-2.20210203/policy/modules/admin/logrotate.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/admin/logrotate.te > +++ refpolicy-2.20210203/policy/modules/admin/logrotate.te > @@ -116,6 +116,8 @@ init_dbus_chat(logrotate_t) > init_stream_connect(logrotate_t) > init_manage_all_units(logrotate_t) > > +libs_exec_lib_files(logrotate_t) probably a mislabeled file, better to address the labeling issue > + > logging_manage_all_logs(logrotate_t) > logging_send_syslog_msg(logrotate_t) > logging_send_audit_msgs(logrotate_t) > Index: refpolicy-2.20210203/policy/modules/apps/cdrecord.fc > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/apps/cdrecord.fc > +++ refpolicy-2.20210203/policy/modules/apps/cdrecord.fc > @@ -1,3 +1,4 @@ > /usr/bin/cdrecord -- gen_context(system_u:object_r:cdrecord_exec_t,s0) > +/usr/bin/cdrskin -- gen_context(system_u:object_r:cdrecord_exec_t,s0) > /usr/bin/growisofs -- gen_context(system_u:object_r:cdrecord_exec_t,s0) > /usr/bin/wodim -- gen_context(system_u:object_r:cdrecord_exec_t,s0) > Index: refpolicy-2.20210203/policy/modules/apps/games.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/apps/games.te > +++ refpolicy-2.20210203/policy/modules/apps/games.te > @@ -92,7 +92,9 @@ optional_policy(` > allow games_t self:fifo_file rw_fifo_file_perms; > allow games_t self:sem create_sem_perms; > allow games_t self:tcp_socket { accept listen }; > +allow games_t self:process getsched; > > +manage_dirs_pattern(games_t, games_data_t, games_data_t) > manage_files_pattern(games_t, games_data_t, games_data_t) > manage_lnk_files_pattern(games_t, games_data_t, games_data_t) > > @@ -101,6 +103,8 @@ term_create_pty(games_t, games_devpts_t) > > manage_dirs_pattern(games_t, games_tmp_t, games_tmp_t) > manage_files_pattern(games_t, games_tmp_t, games_tmp_t) > +allow games_t games_tmp_t:file map; > + > files_tmp_filetrans(games_t, games_tmp_t, { file dir }) > > manage_files_pattern(games_t, games_tmpfs_t, games_tmpfs_t) > @@ -128,6 +132,8 @@ corenet_tcp_bind_generic_port(games_t) > corenet_sendrecv_generic_client_packets(games_t) > corenet_tcp_connect_generic_port(games_t) > > +corenet_udp_bind_generic_node(games_t) > + > dev_read_sound(games_t) > dev_read_input(games_t) > dev_read_mouse(games_t) > @@ -136,13 +142,16 @@ dev_rw_dri(games_t) > dev_write_sound(games_t) > > files_list_var(games_t) > +files_search_mnt(games_t) > files_search_var_lib(games_t) > files_dontaudit_search_var(games_t) > +files_map_usr_files(games_t) > files_read_etc_files(games_t) > files_read_usr_files(games_t) > files_read_var_files(games_t) > > fs_dontaudit_getattr_xattr_fs(games_t) > +fs_search_nfs(games_t) > > init_dontaudit_rw_utmp(games_t) > > @@ -158,6 +167,7 @@ userdom_manage_user_tmp_dirs(games_t) > userdom_manage_user_tmp_files(games_t) > userdom_manage_user_tmp_symlinks(games_t) > userdom_manage_user_tmp_sockets(games_t) > +userdom_use_user_ptys(games_t) > userdom_dontaudit_read_user_home_content_files(games_t) > > tunable_policy(`allow_execmem',` > @@ -166,6 +176,7 @@ tunable_policy(`allow_execmem',` > > optional_policy(` > alsa_read_config(games_t) > + alsa_read_home_files(games_t) > ') > > optional_policy(` > Index: refpolicy-2.20210203/policy/modules/apps/gpg.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/apps/gpg.te > +++ refpolicy-2.20210203/policy/modules/apps/gpg.te > @@ -137,6 +137,7 @@ logging_send_syslog_msg(gpg_t) > miscfiles_read_localization(gpg_t) > > userdom_use_user_terminals(gpg_t) > +userdom_user_home_dir_filetrans_user_home_content(gpg_t, file) > > userdom_manage_user_tmp_dirs(gpg_t) > userdom_manage_user_tmp_files(gpg_t) > Index: refpolicy-2.20210203/policy/modules/kernel/devices.fc > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/kernel/devices.fc > +++ refpolicy-2.20210203/policy/modules/kernel/devices.fc > @@ -137,6 +137,7 @@ ifdef(`distro_suse', ` > /dev/vhci -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/vhost-net -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/vhost-scsi -c gen_context(system_u:object_r:vhost_device_t,s0) > +/dev/vhost-vsock -c gen_context(system_u:object_r:vhost_device_t,s0) > /dev/video.* -c gen_context(system_u:object_r:v4l_device_t,s0) > /dev/vmmon -c gen_context(system_u:object_r:vmware_device_t,s0) > /dev/vmnet.* -c gen_context(system_u:object_r:vmware_device_t,s0) > Index: refpolicy-2.20210203/policy/modules/roles/sysadm.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/roles/sysadm.te > +++ refpolicy-2.20210203/policy/modules/roles/sysadm.te > @@ -41,6 +41,8 @@ allow sysadm_t self:netlink_tcpdiag_sock > allow sysadm_t self:capability audit_write; > allow sysadm_t self:system status; > > +kernel_request_load_module(sysadm_t) > + > corecmd_exec_shell(sysadm_t) > > corenet_ib_access_unlabeled_pkeys(sysadm_t) > @@ -61,6 +63,7 @@ ubac_fd_exempt(sysadm_t) > > init_exec(sysadm_t) > init_admin(sysadm_t) > +init_rw_stream_sockets(sysadm_t) > > # Add/remove user home directories > userdom_manage_user_home_dirs(sysadm_t) > Index: refpolicy-2.20210203/policy/modules/roles/unprivuser.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/roles/unprivuser.te > +++ refpolicy-2.20210203/policy/modules/roles/unprivuser.te > @@ -29,6 +29,10 @@ optional_policy(` > ') > > optional_policy(` > + ssh_role_template(user, user_r, user_t) > +') > + > +optional_policy(` > vlock_run(user_t, user_r) > ') > > @@ -162,10 +166,6 @@ ifndef(`distro_redhat',` > ') > > optional_policy(` > - ssh_role_template(user, user_r, user_t) > - ') > - > - optional_policy(` > su_role_template(user, user_r, user_t) > ') > > Index: refpolicy-2.20210203/policy/modules/system/authlogin.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/authlogin.te > +++ refpolicy-2.20210203/policy/modules/system/authlogin.te > @@ -389,6 +389,8 @@ domain_use_interactive_fds(utempter_t) > > logging_search_logs(utempter_t) > > +term_use_ptmx(utempter_t) > + > userdom_use_user_terminals(utempter_t) > # Allow utemper to write to /tmp/.xses-* > userdom_write_user_tmp_files(utempter_t) > @@ -406,6 +408,7 @@ optional_policy(` > optional_policy(` > xserver_use_xdm_fds(utempter_t) > xserver_rw_xdm_pipes(utempter_t) > + xserver_write_inherited_xsession_log(utempter_t) > ') > > ####################################### > Index: refpolicy-2.20210203/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/init.if > +++ refpolicy-2.20210203/policy/modules/system/init.if > @@ -3498,6 +3498,24 @@ interface(`init_reload_all_units',` > allow $1 { init_script_file_type systemdunit }:service reload; > ') > > +####################################### > +## > +## getattr all systemd unit files. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_all_units',` > + gen_require(` > + attribute systemdunit; > + ') > + > + allow $1 systemdunit:file getattr; > +') > + > ######################################## > ## > ## Manage systemd unit dirs and the files in them > Index: refpolicy-2.20210203/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/init.te > +++ refpolicy-2.20210203/policy/modules/system/init.te > @@ -244,7 +244,6 @@ ifdef(`init_systemd',` > allow init_t self:udp_socket create_socket_perms; > allow init_t self:netlink_route_socket create_netlink_socket_perms; > allow init_t initrc_t:unix_dgram_socket create_socket_perms; > - allow init_t self:capability2 audit_read; > allow init_t self:key { search setattr write }; > allow init_t self:bpf { map_create map_read map_write prog_load prog_run }; > > @@ -262,7 +261,7 @@ ifdef(`init_systemd',` > > # setexec and setkeycreate for systemd --user > allow init_t self:process { getcap getsched setsched setpgid setfscreate setsockcreate setexec setkeycreate setcap setrlimit }; > - allow init_t self:capability2 { audit_read block_suspend }; > + allow init_t self:capability2 { audit_read block_suspend bpf perfmon }; > allow init_t self:netlink_kobject_uevent_socket create_socket_perms; > allow init_t self:unix_dgram_socket lock; > > @@ -428,6 +427,7 @@ ifdef(`init_systemd',` > miscfiles_watch_localization(init_t) > > mount_watch_runtime_dirs(init_t) > + mount_watch_runtime_files_reads(init_t) > > # systemd_socket_activated policy > mls_socket_write_all_levels(init_t) > Index: refpolicy-2.20210203/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/logging.te > +++ refpolicy-2.20210203/policy/modules/system/logging.te > @@ -510,6 +510,7 @@ seutil_read_config(syslogd_t) > > userdom_dontaudit_use_unpriv_user_fds(syslogd_t) > userdom_dontaudit_search_user_home_dirs(syslogd_t) > +userdom_search_user_runtime_root(syslogd_t) > > ifdef(`init_systemd',` > # for systemd-journal > @@ -549,6 +550,8 @@ ifdef(`init_systemd',` > systemd_manage_journal_files(syslogd_t) > > udev_read_runtime_files(syslogd_t) > + userdom_list_user_tmp(syslogd_t) > + userdom_read_user_tmp_symlinks(syslogd_t) > ') > > ifdef(`distro_gentoo',` > Index: refpolicy-2.20210203/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20210203/policy/modules/system/lvm.te > @@ -105,10 +105,13 @@ files_read_etc_files(clvmd_t) > files_list_usr(clvmd_t) > > fs_getattr_all_fs(clvmd_t) > +fs_getattr_pstore_dirs(lvm_t) > fs_search_auto_mountpoints(clvmd_t) > +fs_search_cgroup_dirs(lvm_t) > fs_dontaudit_list_tmpfs(clvmd_t) > fs_dontaudit_read_removable_files(clvmd_t) > fs_rw_anon_inodefs_files(clvmd_t) > +fs_search_bpf(lvm_t) > > storage_dontaudit_getattr_removable_dev(clvmd_t) > storage_manage_fixed_disk(clvmd_t) > @@ -167,7 +170,6 @@ optional_policy(` > allow lvm_t self:capability { chown dac_override fowner ipc_lock mknod net_admin sys_admin sys_nice sys_rawio sys_resource }; > dontaudit lvm_t self:capability sys_tty_config; > allow lvm_t self:process { sigchld sigkill sigstop signull signal setfscreate }; > -# LVM will complain a lot if it cannot set its priority. > allow lvm_t self:process setsched; > allow lvm_t self:file rw_file_perms; > allow lvm_t self:fifo_file manage_fifo_file_perms; > @@ -298,6 +300,8 @@ selinux_compute_user_contexts(lvm_t) > > storage_relabel_fixed_disk(lvm_t) > storage_dontaudit_read_removable_device(lvm_t) > +storage_getattr_removable_dev(lvm_t) > + > # LVM creates block devices in /dev/mapper or /dev/ > # depending on its version > # LVM(2) needs to create directories (/dev/mapper, /dev/) > Index: refpolicy-2.20210203/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20210203/policy/modules/system/modutils.te > @@ -34,6 +34,7 @@ ifdef(`init_systemd',` > # > > allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config }; > +allow kmod_t self:lockdown confidentiality; > allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; > # for the radeon/amdgpu modules > dontaudit kmod_t self:capability sys_admin; > Index: refpolicy-2.20210203/policy/modules/system/mount.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/mount.te > +++ refpolicy-2.20210203/policy/modules/system/mount.te > @@ -98,12 +98,14 @@ files_list_all_mountpoints(mount_t) > files_dontaudit_write_all_mountpoints(mount_t) > files_dontaudit_setattr_all_mountpoints(mount_t) > > +fs_getattr_binfmt_misc_fs(mount_t) > fs_getattr_xattr_fs(mount_t) > fs_getattr_tmpfs(mount_t) > fs_getattr_rpc_pipefs(mount_t) > fs_getattr_cifs(mount_t) > fs_getattr_nfs(mount_t) > fs_mount_all_fs(mount_t) > +fs_manage_tmpfs_dirs(mount_t) > fs_unmount_all_fs(mount_t) > fs_remount_all_fs(mount_t) > fs_relabelfrom_all_fs(mount_t) > Index: refpolicy-2.20210203/policy/modules/system/raid.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/raid.te > +++ refpolicy-2.20210203/policy/modules/system/raid.te > @@ -60,6 +60,7 @@ domain_use_interactive_fds(mdadm_t) > files_read_etc_files(mdadm_t) > files_read_etc_runtime_files(mdadm_t) > files_dontaudit_getattr_all_files(mdadm_t) > +files_search_tmp(mdadm_t) > > fs_getattr_all_fs(mdadm_t) > fs_list_auto_mountpoints(mdadm_t) > Index: refpolicy-2.20210203/policy/modules/system/selinuxutil.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/selinuxutil.te > +++ refpolicy-2.20210203/policy/modules/system/selinuxutil.te > @@ -368,14 +368,19 @@ fs_list_inotifyfs(restorecond_t) > fs_relabelfrom_noxattr_fs(restorecond_t) > fs_getattr_pstorefs(restorecond_t) > > +logging_watch_generic_logs_dir(restorecond_t) > + > selinux_validate_context(restorecond_t) > selinux_compute_access_vector(restorecond_t) > selinux_compute_create_context(restorecond_t) > selinux_compute_relabel_context(restorecond_t) > selinux_compute_user_contexts(restorecond_t) > +seutil_read_file_contexts(restorecond_t) > > files_relabel_non_auth_files(restorecond_t ) > files_dontaudit_read_all_symlinks(restorecond_t) > +files_watch_etc_dirs(restorecond_t) > +files_watch_runtime_dirs(restorecond_t) > auth_use_nsswitch(restorecond_t) > > logging_send_syslog_msg(restorecond_t) > @@ -416,6 +421,8 @@ allow run_init_t self:netlink_audit_sock > # the failed access to the current directory > dontaudit run_init_t self:capability { dac_override dac_read_search }; > > +kernel_getattr_proc(run_init_t) > + > corecmd_exec_bin(run_init_t) > corecmd_exec_shell(run_init_t) > > @@ -585,6 +592,7 @@ allow setfiles_t { policy_src_t policy_c > allow setfiles_t { policy_src_t policy_config_t file_context_t default_context_t }:lnk_file { read_lnk_file_perms ioctl lock }; > allow setfiles_t file_context_t:file map; > > +kernel_read_kernel_sysctls(setfiles_t) > kernel_read_system_state(setfiles_t) > kernel_relabelfrom_unlabeled_dirs(setfiles_t) > kernel_relabelfrom_unlabeled_files(setfiles_t) > Index: refpolicy-2.20210203/policy/modules/system/sysnetwork.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/sysnetwork.te > +++ refpolicy-2.20210203/policy/modules/system/sysnetwork.te > @@ -61,7 +61,7 @@ allow dhcpc_t self:capability { dac_over > dontaudit dhcpc_t self:capability { sys_ptrace sys_tty_config }; > # for access("/etc/bashrc", X_OK) on Red Hat > dontaudit dhcpc_t self:capability { dac_read_search sys_module }; > -allow dhcpc_t self:process { getsched getcap setcap setfscreate ptrace signal_perms }; > +allow dhcpc_t self:process { setrlimit getsched getcap setcap setfscreate ptrace signal_perms }; > > allow dhcpc_t self:fifo_file rw_fifo_file_perms; > allow dhcpc_t self:tcp_socket create_stream_socket_perms; > Index: refpolicy-2.20210203/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/udev.te > +++ refpolicy-2.20210203/policy/modules/system/udev.te > @@ -43,6 +43,7 @@ ifdef(`enable_mcs',` > allow udev_t self:capability { chown dac_override dac_read_search fowner fsetid mknod net_admin net_raw setgid setuid sys_admin sys_nice sys_ptrace sys_rawio sys_resource }; > dontaudit udev_t self:capability sys_tty_config; > allow udev_t self:capability2 { wake_alarm block_suspend }; > +allow udev_t self:lockdown confidentiality; > allow udev_t self:process { transition signal_perms ptrace getsched setsched getsession getpgid setpgid getcap setcap share getattr setfscreate noatsecure siginh rlimitinh dyntransition execmem setkeycreate setsockcreate getrlimit }; > allow udev_t self:fd use; > allow udev_t self:fifo_file rw_fifo_file_perms; > @@ -74,6 +75,7 @@ manage_files_pattern(udev_t, udev_rules_ > manage_lnk_files_pattern(udev_t, udev_rules_t, udev_rules_t) > > manage_dirs_pattern(udev_t, udev_runtime_t, udev_runtime_t) > +allow udev_t udev_runtime_t:dir watch; > manage_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > manage_lnk_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > manage_sock_files_pattern(udev_t, udev_runtime_t, udev_runtime_t) > @@ -120,6 +122,7 @@ domain_dontaudit_ptrace_all_domains(udev > files_read_usr_files(udev_t) > files_read_etc_runtime_files(udev_t) > files_read_etc_files(udev_t) > +files_read_var_lib_symlinks(udev_t) > files_mmap_read_kernel_modules(udev_t) > files_exec_etc_files(udev_t) > files_getattr_generic_locks(udev_t) > @@ -129,6 +132,7 @@ fs_getattr_all_fs(udev_t) > fs_list_inotifyfs(udev_t) > fs_read_cgroup_files(udev_t) > fs_rw_anon_inodefs_files(udev_t) > +fs_search_tmpfs(udev_t) > fs_search_tracefs(udev_t) > > mcs_ptrace_all(udev_t) > @@ -153,6 +157,10 @@ auth_read_pam_console_data(udev_t) > auth_domtrans_pam_console(udev_t) > auth_use_nsswitch(udev_t) > > +# for /run/console-setup then that shouldnt be labeled tmpfs_t? > +fs_manage_tmpfs_dirs(udev_t) > +fs_manage_tmpfs_files(udev_t) > + > init_read_utmp(udev_t) > init_domtrans_script(udev_t) > # systemd-udevd searches /run/systemd > @@ -260,9 +268,6 @@ ifdef(`init_systemd',` > optional_policy(` > init_dbus_chat(udev_t) > ') > -',` > - fs_manage_tmpfs_dirs(udev_t) > - fs_manage_tmpfs_files(udev_t) > ') > > optional_policy(` > Index: refpolicy-2.20210203/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20210203.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20210203/policy/modules/system/unconfined.te > @@ -39,6 +39,7 @@ logging_send_syslog_msg(unconfined_t) > logging_run_auditctl(unconfined_t, unconfined_r) > > mount_run_unconfined(unconfined_t, unconfined_r) > +mount_watch_runtime_files_reads(unconfined_t) > > seutil_run_setfiles(unconfined_t, unconfined_r) > seutil_run_semanage(unconfined_t, unconfined_r) > -- gpg --locate-keys dominick.grift@defensec.nl Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 https://sks-keyservers.net/pks/lookup?op=get&search=0xDA7E521F10F64098 Dominick Grift