Received: by 2002:a05:6a10:d5a5:0:0:0:0 with SMTP id gn37csp3146171pxb;
        Sat, 9 Oct 2021 03:05:12 -0700 (PDT)
X-Google-Smtp-Source: ABdhPJz42EvSsIBJK2c+iQhQnq3QV5Nkw/K51x6wdR/3L3qL/gpY91FlbKgFBOSzthPg6u1bZgeB
X-Received: by 2002:a63:dd45:: with SMTP id g5mr8882995pgj.236.1633773912731;
        Sat, 09 Oct 2021 03:05:12 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1633773912; cv=none;
        d=google.com; s=arc-20160816;
        b=lhBMRaLfBYGKjmrbeiHIz95g4vZoiQsenvdXiTnT7JMqtMxYi4zW5Vff+1Gzk7q56L
         IgECuLx4uKwwc+PVyPEtyVux24dKgaEmNeYODujXhj7dWwjG+cBMy73ogg66r0ycqndQ
         xdKtkpoelg+WzNirPqGz3yNcWinud0z+dYUqezEMI1dGW3w3iEP49szso4N/zpyEmbmS
         kW2rhhAob7eKcokRq5nsN8Pg7HIFrcrSUJhgojdh7F2MGc3RMlQhsyBkaVdSuOlUeoJC
         V6KMP+9sIXBeWMDDzhUChTx+02kDgErZfhijhPRhUYBbRKoGpsFNufa1Ns9Mbw2+ukjp
         RCpg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:content-disposition:mime-version:message-id
         :subject:to:from:date:dkim-signature;
        bh=BfoFraGTlReUE3MhbwabOCbZzTeABF41D8k0/QNrtWw=;
        b=FUs9Uo322WbJfpHd3v2gB5/Zr6w6kPm4KseXiyk5g15m4CbReAyA9f330GPGASDpxX
         lf+tEZaFJO+Red2IWW4zWnNei9TrntaR8wm/fA2tDp2kV3+qU0dNSO0yjgK0rFuM9LjH
         LRxJKUNvi53Xj0le3JvH27AcBZzNm9h1ZYBE9hRQokgsspUTP0lgA4G39U8iLah2i0qp
         0xVwW5iDQeIsckJPMjCug690g49VYdLxYM7pDZ1obdL22e4fO3YlF4uC3n/iwEYQqRlK
         8xtL8brW2DNewjvn/wf1haW00huAsG33UvE0BNENSoL9BNjTIIoOi7wAsmqXTmSp1kgj
         PjdQ==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=E4YstCNB;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18])
        by mx.google.com with ESMTP id p3si3388210pfh.201.2021.10.09.03.05.09;
        Sat, 09 Oct 2021 03:05:12 -0700 (PDT)
Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@coker.com.au header.s=2008 header.b=E4YstCNB;
       spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org;
       dmarc=pass (p=REJECT sp=REJECT dis=NONE) header.from=coker.com.au
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S232312AbhJIKHG (ORCPT <rfc822;apot1624@gmail.com> + 21 others);
        Sat, 9 Oct 2021 06:07:06 -0400
Received: from lindbergh.monkeyblade.net ([23.128.96.19]:56978 "EHLO
        lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S232224AbhJIKHF (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Sat, 9 Oct 2021 06:07:05 -0400
Received: from smtp.sws.net.au (smtp.sws.net.au [IPv6:2a01:4f8:201:1e6::dada:cafe])
        by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 13890C061570
        for <selinux-refpolicy@vger.kernel.org>; Sat,  9 Oct 2021 03:05:09 -0700 (PDT)
Received: from xev.coker.com.au (localhost [127.0.0.1])
        by smtp.sws.net.au (Postfix) with ESMTP id F3913155CF
        for <selinux-refpolicy@vger.kernel.org>; Sat,  9 Oct 2021 21:05:05 +1100 (AEDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=coker.com.au;
        s=2008; t=1633773906;
        bh=BfoFraGTlReUE3MhbwabOCbZzTeABF41D8k0/QNrtWw=; l=9450;
        h=Date:From:To:Subject:From;
        b=E4YstCNB1NtZoRmQSnM4Got2/2iEVDIRrhQciK8LRHKikNGskt9deLHZpvaSxBnI8
         0n+ECADUNwo1i3dUWmYhJRJHe3p7b1BnQ7nGvXve3at4zA2a4EXSgbJ24ivHNeaN8x
         QQzCGp2v8nfMh+PDlO6WZzFhSVI/qpnh5bBnv9PI=
Received: by xev.coker.com.au (Postfix, from userid 1001)
        id 6331315FEFF2; Sat,  9 Oct 2021 21:05:01 +1100 (AEDT)
Date:   Sat, 9 Oct 2021 21:05:01 +1100
From:   Russell Coker <russell@coker.com.au>
To:     selinux-refpolicy@vger.kernel.org
Subject: [PATCH] strict policy patches
Message-ID: <YWFpTPHEZiydqBOq@xev.coker.com.au>
MIME-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Allow user domains to read kernel sysctls and crypto sysctls.

Add userdom_write_all_user_runtime_named_sockets interface (for pulseaudio_t).

Give sysadm_t more access.

Give dbus domains a little more access.

Allow ssh agent to write to an inherited log file from the X server.

Make systemd_analyze_exec_t an alias for bin_t and remove systemd_analyze_t 
omain.

Allow system cronjobs to read fs sysctls.

Signed-off-by: Russell Coker <russell@coker.com.au>

Index: refpolicy-2.20210908/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20210908/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
 	dontaudit $1_t user_tty_device_t:chr_file ioctl;
 
 	kernel_read_kernel_sysctls($1_t)
+	kernel_read_crypto_sysctls($1_t)
+	kernel_read_vm_overcommit_sysctl($1_t)
 	kernel_dontaudit_list_unlabeled($1_t)
 	kernel_dontaudit_getattr_unlabeled_files($1_t)
 	kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
@@ -3558,6 +3560,25 @@ interface(`userdom_delete_all_user_runti
 ')
 
 ########################################
+## <summary>
+##     write user runtime socket files
+## </summary>
+## <param name="domain">
+##     <summary>
+##     Domain allowed access.
+##     </summary>
+## </param>
+#
+interface(`userdom_write_all_user_runtime_named_sockets',`
+	gen_require(`
+		attribute user_runtime_content_type;
+	')
+
+	allow $1 user_runtime_content_type:dir list_dir_perms;
+	allow $1 user_runtime_content_type:sock_file write;
+')
+
+########################################
 ## <summary>
 ##	delete user runtime files
 ## </summary>
Index: refpolicy-2.20210908/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20210908/policy/modules/roles/sysadm.te
@@ -33,11 +33,22 @@ ifndef(`enable_mls',`
 # Local policy
 #
 
+allow sysadm_t self:netlink_generic_socket { create setopt bind write read };
+
+# for ptrace
+allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read };
+
+allow sysadm_t self:capability audit_write;
+allow sysadm_t self:system status;
+
 corecmd_exec_shell(sysadm_t)
 
 corenet_ib_access_unlabeled_pkeys(sysadm_t)
 corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)
 
+domain_getsched_all_domains(sysadm_t)
+
+dev_read_cpuid(sysadm_t)
 dev_read_kmsg(sysadm_t)
 
 logging_watch_all_logs(sysadm_t)
@@ -58,6 +69,9 @@ init_admin(sysadm_t)
 userdom_manage_user_home_dirs(sysadm_t)
 userdom_home_filetrans_user_home_dir(sysadm_t)
 
+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
 ifdef(`direct_sysadm_daemon',`
 	optional_policy(`
 		init_run_daemon(sysadm_t, sysadm_r)
@@ -1033,6 +1047,10 @@ optional_policy(`
 ')
 
 optional_policy(`
+	systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
 	tboot_run_txtstat(sysadm_t, sysadm_r)
 ')
 
@@ -1100,6 +1118,7 @@ optional_policy(`
 ')
 
 optional_policy(`
+	dev_rw_generic_usb_dev(sysadm_t)
 	usbmodules_run(sysadm_t, sysadm_r)
 ')
 
Index: refpolicy-2.20210908/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20210908/policy/modules/services/xserver.if
@@ -100,6 +100,7 @@ interface(`xserver_restricted_role',`
 	xserver_xsession_entry_type($2)
 	xserver_dontaudit_write_log($2)
 	xserver_stream_connect_xdm($2)
+	xserver_use_user_fonts($2)
 	# certain apps want to read xdm.pid file
 	xserver_read_xdm_runtime_files($2)
 	# gnome-session creates socket under /tmp/.ICE-unix/
@@ -141,7 +142,7 @@ interface(`xserver_role',`
 	gen_require(`
 		type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
 		type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
-		type mesa_shader_cache_t;
+		type mesa_shader_cache_t, xdm_t;
 	')
 
 	xserver_restricted_role($1, $2)
@@ -184,6 +185,8 @@ interface(`xserver_role',`
 
 	xserver_read_xkb_libs($2)
 
+	allow $2 xdm_t:unix_stream_socket accept;
+
 	optional_policy(`
 		xdg_cache_filetrans($2, mesa_shader_cache_t, dir, "mesa_shader_cache")
 	')
@@ -1224,6 +1227,7 @@ interface(`xserver_read_xkb_libs',`
 	allow $1 xkb_var_lib_t:dir list_dir_perms;
 	read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
 	read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+	allow $1 xkb_var_lib_t:file map;
 ')
 
 ########################################
Index: refpolicy-2.20210908/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20210908/policy/modules/services/dbus.if
@@ -85,6 +85,7 @@ template(`dbus_role_template',`
 
 	allow $3 $1_dbusd_t:unix_stream_socket connectto;
 	allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+	allow $1_dbusd_t $3:dbus send_msg;
 	allow $3 $1_dbusd_t:fd use;
 
 	dontaudit $1_dbusd_t self:process getcap;
@@ -103,9 +104,13 @@ template(`dbus_role_template',`
 
 	allow $1_dbusd_t $3:process sigkill;
 
+	allow $1_dbusd_t self:process getcap;
+
 	corecmd_bin_domtrans($1_dbusd_t, $3)
 	corecmd_shell_domtrans($1_dbusd_t, $3)
 
+	dev_read_sysfs($1_dbusd_t)
+
 	auth_use_nsswitch($1_dbusd_t)
 
 	ifdef(`hide_broken_symptoms',`
@@ -117,6 +122,15 @@ template(`dbus_role_template',`
 		systemd_user_daemon_domain($1, dbusd_exec_t, $1_dbusd_t)
 		systemd_user_unix_stream_activated_socket($1_dbusd_t, session_dbusd_runtime_t)
 	')
+
+	optional_policy(`
+		init_dbus_chat($1_dbusd_t)
+		dbus_system_bus_client($1_dbusd_t)
+	')
+
+	optional_policy(`
+		xdg_read_data_files($1_dbusd_t)
+	')
 ')
 
 #######################################
Index: refpolicy-2.20210908/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20210908/policy/modules/services/ssh.if
@@ -440,6 +440,7 @@ template(`ssh_role_template',`
 		xserver_use_xdm_fds($1_ssh_agent_t)
 		xserver_rw_xdm_pipes($1_ssh_agent_t)
 		xserver_sigchld_xdm($1_ssh_agent_t)
+		xserver_write_inherited_xsession_log($1_ssh_agent_t)
 	')
 ')
 
Index: refpolicy-2.20210908/policy/modules/kernel/corecommands.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/kernel/corecommands.te
+++ refpolicy-2.20210908/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
 #
 # bin_t is the type of files in the system bin/sbin directories.
 #
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
 corecmd_executable_file(bin_t)
 dev_associate(bin_t)	#For /dev/MAKEDEV
 
Index: refpolicy-2.20210908/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20210908/policy/modules/system/systemd.te
@@ -65,10 +65,6 @@ type systemd_activate_t;
 type systemd_activate_exec_t;
 init_system_domain(systemd_activate_t, systemd_activate_exec_t)
 
-type systemd_analyze_t;
-type systemd_analyze_exec_t;
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
-
 type systemd_backlight_t;
 type systemd_backlight_exec_t;
 init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
@@ -1462,6 +1458,7 @@ tunable_policy(`systemd_tmpfilesd_factor
 ')
 
 optional_policy(`
+	dbus_manage_lib_files(systemd_tmpfiles_t)
 	dbus_read_lib_files(systemd_tmpfiles_t)
 	dbus_relabel_lib_dirs(systemd_tmpfiles_t)
 ')
Index: refpolicy-2.20210908/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/cron.te
+++ refpolicy-2.20210908/policy/modules/services/cron.te
@@ -486,6 +486,7 @@ kernel_getattr_core_if(system_cronjob_t)
 kernel_getattr_message_if(system_cronjob_t)
 
 kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_fs_sysctls(system_cronjob_t)
 kernel_read_irq_sysctls(system_cronjob_t)
 kernel_read_kernel_sysctls(system_cronjob_t)
 kernel_read_network_state(system_cronjob_t)
Index: refpolicy-2.20210908/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20210908/policy/modules/apps/pulseaudio.te
@@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau
 userdom_manage_user_tmp_dirs(pulseaudio_t)
 userdom_manage_user_tmp_files(pulseaudio_t)
 userdom_manage_user_tmp_sockets(pulseaudio_t)
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
 
 tunable_policy(`pulseaudio_execmem',`
 	allow pulseaudio_t self:process execmem;
Index: refpolicy-2.20210908/policy/modules/services/ntp.te
===================================================================
--- refpolicy-2.20210908.orig/policy/modules/services/ntp.te
+++ refpolicy-2.20210908/policy/modules/services/ntp.te
@@ -130,6 +130,7 @@ term_use_ptmx(ntpd_t)
 auth_use_nsswitch(ntpd_t)
 
 init_exec_script_files(ntpd_t)
+init_get_generic_units_status(ntpd_t)
 
 logging_send_syslog_msg(ntpd_t)