Received: by 2002:a05:6a10:5bc5:0:0:0:0 with SMTP id os5csp882303pxb; Wed, 27 Oct 2021 14:24:13 -0700 (PDT) X-Google-Smtp-Source: ABdhPJz3A/68cz0bn8tDtI4+76gW0aaLPf+aHI5l/I75VMWCBjvOAfhXtI5kDsw5uBV5u6hhL9bN X-Received: by 2002:a17:906:17c5:: with SMTP id u5mr29238eje.431.1635369852870; Wed, 27 Oct 2021 14:24:12 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1635369852; cv=none; d=google.com; s=arc-20160816; b=QWnk680QAKmS36mqwG7WDXgczO6VLG+6s7btr6e0LsZAXjcQaGjDoHtXaNTIS79x+N HDb3tAmtSjwGT3+IT1dK+O8eoZ8YF6bsXnx1xmKmm+4PZS3nXS8+Uv9i75kQVM+ikfW0 qkJwkJTxrOh0RcNVW3MXjjX0aMzBJTaoUQDj5OEPdw4UWNng7ODaRpN1grK8iLl0epbC /cde1gpt5jIAZm0oBFFPhxrKkO4kl3+I9nUeL0XTZotVNnFBDHfqYSC/JzK1vnubSKx+ 5Ixc8v2wUsm+zxPMDVkuCSEc4poBqRmwb77H6IyI+H+sChKoWCzytNk9hgtySiZUeUuZ xM8g== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:content-transfer-encoding:in-reply-to:from :references:to:content-language:subject:user-agent:mime-version:date :message-id:dkim-signature; bh=vBdweDPRJC9zkYxqXUxtsgPSLNqh+Bt+rHD+BbdCDfE=; b=LD3Ox1wFOkfyvX6pzLZ4gDnKRnenK1KvsGzNXgoQJ4U8xNaMJH5lEQ3dJkxDu2LL+D pTqEGzdl33GXwT9JQBP36LwWi+YUlmUCOL/owPcrxwyCFbf3vjeBiq6dWy9I1sujeckq Mf4db59IYonmapeM+0QeEj0QnWdogJjZep/ebUdUHBlDlkTOy9J92UKg11OOs0Y1BO0A YDYThZl13ZG/ROYxXC+cV0UVVCQpfOoCdlnbKJkwFFz39U8QahGZG9rVabCbWwe6IG35 3CG6s8AeN86vPmh9qZbtdSagCK5xKo6Sjl1wKIlxJqo87v3Amg6EMZSWBYApO4V8550T iZug== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Jt7Jf4lj; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [23.128.96.18]) by mx.google.com with ESMTP id d13si1445829edo.513.2021.10.27.14.24.05; Wed, 27 Oct 2021 14:24:12 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) client-ip=23.128.96.18; Authentication-Results: mx.google.com; dkim=pass header.i=@ieee.org header.s=google header.b=Jt7Jf4lj; spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 23.128.96.18 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=ieee.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S234339AbhJ0NL5 (ORCPT + 20 others); Wed, 27 Oct 2021 09:11:57 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:53688 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S236927AbhJ0NL4 (ORCPT ); Wed, 27 Oct 2021 09:11:56 -0400 Received: from mail-qk1-x729.google.com (mail-qk1-x729.google.com [IPv6:2607:f8b0:4864:20::729]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 183EAC061570 for ; Wed, 27 Oct 2021 06:09:31 -0700 (PDT) Received: by mail-qk1-x729.google.com with SMTP id bk35so2310589qkb.6 for ; Wed, 27 Oct 2021 06:09:31 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ieee.org; s=google; h=message-id:date:mime-version:user-agent:subject:content-language:to :references:from:in-reply-to:content-transfer-encoding; bh=vBdweDPRJC9zkYxqXUxtsgPSLNqh+Bt+rHD+BbdCDfE=; b=Jt7Jf4ljvxFK0TXFLvHKnGs7k/SqoWLW0rzZgFic+yNPb+W4LHvzacMkB6t/hBVPIj YUTOyh6khyhHg9dFmfwTPadGDmE7S3k1FhZdC/C7AW6KbO8arp5CeCluk4ew5lD+ya5j ArUQEt8FgJGZE7ndymYtCa18fHdIs3sekLcqU= X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20210112; h=x-gm-message-state:message-id:date:mime-version:user-agent:subject :content-language:to:references:from:in-reply-to :content-transfer-encoding; bh=vBdweDPRJC9zkYxqXUxtsgPSLNqh+Bt+rHD+BbdCDfE=; b=il8WHMnpDbf/4vcZrIul4rMDZtRQM4m3WoNhV2bInNGZjHFYlMqiIRTMPk8gr3Ad+d DFk2L1ezx8sd8GRgKq4OjZzOPMUH+gB6LzHrkBUVhVIKT6fpCFOfQ+vJmg4+ymEtOcEH 0P9OXx/NpQHcARs1k0TUBdXcOrlzf2iVlx/Kbnq5lJ2AoEulv43GTD0wprNL/fW1T0B0 Hon5J6zFRow/wQ5toW78g6hrEWax2nDZQGYU/olBSQrTF9SKspE/18TeyBj9vaiSqnzz 6xYYaWIjGGV7n+HM99MuuA/IXvs78bBXFfO19ovkKjvlefrBdO87nAGe4Y8BQUVF6faP 8dMg== X-Gm-Message-State: AOAM530aeBx8+YPcCGzJrM6nMPPnJCkHuQUqqh5Vi3G3hkNFgPGcK1bV k+vqILscTeJfbuWLeXBLuxWvNHBgLcL4dWfh X-Received: by 2002:a37:9144:: with SMTP id t65mr24633359qkd.170.1635340169863; Wed, 27 Oct 2021 06:09:29 -0700 (PDT) Received: from [192.168.1.126] ([72.85.44.115]) by smtp.gmail.com with ESMTPSA id o16sm12650967qkp.1.2021.10.27.06.09.29 (version=TLS1_3 cipher=TLS_AES_128_GCM_SHA256 bits=128/128); Wed, 27 Oct 2021 06:09:29 -0700 (PDT) Message-ID: Date: Wed, 27 Oct 2021 09:09:28 -0400 MIME-Version: 1.0 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Thunderbird/91.2.0 Subject: Re: [PATCH] misc kernel patches Content-Language: en-US To: Russell Coker , selinux-refpolicy@vger.kernel.org References: From: Chris PeBenito In-Reply-To: Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: 7bit Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 10/9/21 05:59, Russell Coker wrote: > Allow systemd_nspawn_t to remount sysfs and stat cgroup. > > Allow it to mounton the kernel symbol table and use systemd_nspawn_runtime_t > for named pipes. > > Allow systemd_passwd_agent_t the sys_resource capability and access to sysfs. > > Allow systemd_user_runtime_dir_t to delete user tmp dirs and named pipes. > > Allow udevadm_t to stat cgroups and tmpfs. > > Make certbot run in it's own domain from unconfined_t. > > Added mounton_dir_perms and mounton_file_perms macros. > > Change corenet_tcp_connect_generic_port to allow connecting to > unreserved_port_t as well as port_t. > > Signed-off-by: Russell Coker > > Index: refpolicy-2.20210908/policy/modules/kernel/corecommands.fc > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/corecommands.fc > +++ refpolicy-2.20210908/policy/modules/kernel/corecommands.fc > @@ -305,7 +305,6 @@ ifdef(`distro_debian',` > /usr/sbin/sesh -- gen_context(system_u:object_r:shell_exec_t,s0) > /usr/sbin/smrsh -- gen_context(system_u:object_r:shell_exec_t,s0) > > -/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/(.*/)?bin(/.*)? gen_context(system_u:object_r:bin_t,s0) > /usr/share/ajaxterm/ajaxterm\.py.* -- gen_context(system_u:object_r:bin_t,s0) > /usr/share/ajaxterm/qweb\.py.* -- gen_context(system_u:object_r:bin_t,s0) > Index: refpolicy-2.20210908/policy/modules/kernel/devices.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/devices.if > +++ refpolicy-2.20210908/policy/modules/kernel/devices.if > @@ -4328,6 +4328,42 @@ interface(`dev_mount_sysfs',` > > ######################################## > ## > +## remount a sysfs filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_remount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem remount; > +') > + > +######################################## > +## > +## unmount a sysfs filesystem > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`dev_unmount_sysfs',` > + gen_require(` > + type sysfs_t; > + ') > + > + allow $1 sysfs_t:filesystem unmount; > +') > + > +######################################## > +## > ## Do not audit getting the attributes of sysfs filesystem > ## > ## > Index: refpolicy-2.20210908/policy/modules/kernel/domain.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/domain.if > +++ refpolicy-2.20210908/policy/modules/kernel/domain.if > @@ -631,7 +631,7 @@ interface(`domain_read_all_domains_state > > ######################################## > ## > -## Get the attributes of all domains of all domains. > +## Get the attributes of all domains > ## > ## > ## > Index: refpolicy-2.20210908/policy/modules/kernel/files.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/files.if > +++ refpolicy-2.20210908/policy/modules/kernel/files.if > @@ -5506,6 +5506,25 @@ interface(`files_delete_kernel_symbol_ta > > ######################################## > ## > +## Delete a system.map in the /boot directory. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`files_mounton_kernel_symbol_table',` > + gen_require(` > + type boot_t, system_map_t; > + ') > + > + allow $1 boot_t:dir search_dir_perms; > + allow $1 system_map_t:file mounton_file_perms; > +') > + > +######################################## > +## > ## Search the contents of /var. > ## > ## > Index: refpolicy-2.20210908/policy/modules/kernel/selinux.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/selinux.if > +++ refpolicy-2.20210908/policy/modules/kernel/selinux.if > @@ -159,6 +159,24 @@ interface(`selinux_unmount_fs',` > > ######################################## > ## > +## Mount on the selinuxfs filesystem. > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`selinux_mounton_fs',` > + gen_require(` > + type security_t; > + ') > + > + allow $1 security_t:dir mounton_dir_perms; > +') > + > +######################################## > +## > ## Get the attributes of the selinuxfs filesystem > ## > ## > Index: refpolicy-2.20210908/policy/modules/system/authlogin.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/authlogin.te > +++ refpolicy-2.20210908/policy/modules/system/authlogin.te > @@ -108,12 +108,13 @@ optional_policy(` > > allow chkpwd_t self:capability { dac_override setuid }; > dontaudit chkpwd_t self:capability sys_tty_config; > -allow chkpwd_t self:process { getattr signal }; > +allow chkpwd_t self:process { getcap getattr signal }; > > allow chkpwd_t shadow_t:file read_file_perms; > files_list_etc(chkpwd_t) > > kernel_read_crypto_sysctls(chkpwd_t) > +kernel_read_kernel_sysctls(chkpwd_t) > kernel_dontaudit_search_kernel_sysctl(chkpwd_t) > kernel_dontaudit_read_kernel_sysctl(chkpwd_t) > kernel_dontaudit_getattr_proc(chkpwd_t) > @@ -129,6 +130,7 @@ files_read_etc_files(chkpwd_t) > files_dontaudit_search_var(chkpwd_t) > > fs_dontaudit_getattr_xattr_fs(chkpwd_t) > +fs_read_tmpfs_symlinks(chkpwd_t) > > selinux_get_enforce_mode(chkpwd_t) > > Index: refpolicy-2.20210908/policy/modules/system/fstools.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/fstools.te > +++ refpolicy-2.20210908/policy/modules/system/fstools.te > @@ -160,6 +160,8 @@ mount_exec(fsadm_t) > # for /run/mount/utab > mount_getattr_runtime_files(fsadm_t) > > +mount_rw_runtime_files(fsadm_t) > + > seutil_read_config(fsadm_t) > > userdom_use_user_terminals(fsadm_t) > Index: refpolicy-2.20210908/policy/modules/system/init.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/init.if > +++ refpolicy-2.20210908/policy/modules/system/init.if > @@ -3555,6 +3555,24 @@ interface(`init_linkable_keyring',` > > ######################################## > ## > +## stat systemd unit files > +## > +## > +## > +## Domain allowed access. > +## > +## > +# > +interface(`init_getattr_all_unit_files',` > + gen_require(` > + attribute systemdunit; > + ') > + > + allow $1 systemdunit:file getattr; > +') > + > +######################################## > +## > ## Allow unconfined access to send instructions to init > ## > ## > Index: refpolicy-2.20210908/policy/modules/system/init.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/init.te > +++ refpolicy-2.20210908/policy/modules/system/init.te > @@ -1082,6 +1082,7 @@ ifdef(`init_systemd',` > init_get_all_units_status(initrc_t) > init_manage_var_lib_files(initrc_t) > init_rw_stream_sockets(initrc_t) > + init_stop_system(initrc_t) > > # Create /etc/audit.rules.prev after firstboot remediation > logging_manage_audit_config(initrc_t) > Index: refpolicy-2.20210908/policy/modules/system/logging.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/logging.te > +++ refpolicy-2.20210908/policy/modules/system/logging.te > @@ -519,7 +519,8 @@ ifdef(`init_systemd',` > # for systemd-journal > allow syslogd_t self:netlink_audit_socket connected_socket_perms; > allow syslogd_t self:capability2 audit_read; > - allow syslogd_t self:capability { chown setgid setuid sys_ptrace }; > + allow syslogd_t self:capability { chown setgid setuid sys_ptrace audit_control }; > + allow syslogd_t self:cap_userns sys_ptrace; > allow syslogd_t self:netlink_audit_socket { getattr getopt read setopt write nlmsg_write }; > > # remove /run/log/journal when switching to permanent storage > @@ -538,6 +539,7 @@ ifdef(`init_systemd',` > > domain_getattr_all_domains(syslogd_t) > domain_read_all_domains_state(syslogd_t) > + domain_signull_all_domains(syslogd_t) > > init_create_runtime_dirs(syslogd_t) > init_daemon_runtime_file(syslogd_runtime_t, dir, "syslogd") > Index: refpolicy-2.20210908/policy/modules/system/lvm.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/lvm.te > +++ refpolicy-2.20210908/policy/modules/system/lvm.te > @@ -232,6 +232,8 @@ optional_policy(` > ') > > optional_policy(` > + apt_use_fds(lvm_t) > + > dpkg_script_rw_pipes(lvm_t) > ') > > Index: refpolicy-2.20210908/policy/modules/system/miscfiles.fc > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/miscfiles.fc > +++ refpolicy-2.20210908/policy/modules/system/miscfiles.fc > @@ -14,6 +14,8 @@ ifdef(`distro_gentoo',` > /etc/pki(/.*)? gen_context(system_u:object_r:cert_t,s0) > /etc/pki/.*/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) > /etc/ssl(/.*)? gen_context(system_u:object_r:cert_t,s0) > +/etc/ssl/private(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) > +/etc/letsencrypt(/.*)? gen_context(system_u:object_r:tls_privkey_t,s0) > /etc/timezone -- gen_context(system_u:object_r:locale_t,s0) > > ifdef(`distro_debian',` > Index: refpolicy-2.20210908/policy/modules/system/modutils.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/modutils.te > +++ refpolicy-2.20210908/policy/modules/system/modutils.te > @@ -33,7 +33,7 @@ ifdef(`init_systemd',` > # insmod local policy > # > > -allow kmod_t self:capability { dac_override net_raw sys_nice sys_tty_config }; > +allow kmod_t self:capability { dac_override dac_read_search net_raw sys_nice sys_tty_config }; > allow kmod_t self:process { execmem sigchld sigkill sigstop signull signal }; > # for the radeon/amdgpu modules > dontaudit kmod_t self:capability sys_admin; > @@ -139,6 +139,8 @@ optional_policy(` > dpkg_manage_script_tmp_files(kmod_t) > dpkg_map_script_tmp_files(kmod_t) > dpkg_read_script_tmp_symlinks(kmod_t) > + apt_use_fds(kmod_t) > + apt_use_ptys(kmod_t) > ') > > optional_policy(` > Index: refpolicy-2.20210908/policy/modules/system/mount.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/mount.te > +++ refpolicy-2.20210908/policy/modules/system/mount.te > @@ -219,6 +219,14 @@ optional_policy(` > samba_run_smbmount(mount_t, mount_roles) > ') > > +optional_policy(` > + ssh_rw_pipes(mount_t) > +') > + > +optional_policy(` > + xen_read_image_files(mount_t) > +') > + > ######################################## > # > # Unconfined mount local policy > Index: refpolicy-2.20210908/policy/modules/system/raid.fc > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/raid.fc > +++ refpolicy-2.20210908/policy/modules/system/raid.fc > @@ -11,6 +11,8 @@ > /usr/bin/mdmpd -- gen_context(system_u:object_r:mdadm_exec_t,s0) > /usr/bin/raid-check -- gen_context(system_u:object_r:mdadm_exec_t,s0) > > +/usr/share/mdadm/checkarray -- gen_context(system_u:object_r:mdadm_exec_t,s0) > + > # Systemd unit files > /usr/lib/systemd/system/[^/]*mdadm-.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) > /usr/lib/systemd/system/[^/]*mdmon.* -- gen_context(system_u:object_r:mdadm_unit_t,s0) > Index: refpolicy-2.20210908/policy/modules/system/raid.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/raid.te > +++ refpolicy-2.20210908/policy/modules/system/raid.te > @@ -54,6 +54,7 @@ dev_dontaudit_getattr_all_blk_files(mdad > dev_dontaudit_getattr_all_chr_files(mdadm_t) > dev_read_realtime_clock(mdadm_t) > > +domain_dontaudit_search_all_domains_state(mdadm_t) > domain_use_interactive_fds(mdadm_t) > > files_read_etc_files(mdadm_t) > @@ -90,6 +91,7 @@ userdom_dontaudit_use_user_terminals(mda > > optional_policy(` > cron_system_entry(mdadm_t, mdadm_exec_t) > + cron_rw_tmp_files(mdadm_t) > ') > > optional_policy(` > Index: refpolicy-2.20210908/policy/modules/system/systemd.fc > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/systemd.fc > +++ refpolicy-2.20210908/policy/modules/system/systemd.fc > @@ -5,7 +5,6 @@ > > /run/log/journal(/.*)? gen_context(system_u:object_r:systemd_journal_t,s0) > > -/usr/bin/systemd-analyze -- gen_context(system_u:object_r:systemd_analyze_exec_t,s0) > /usr/bin/systemd-cgtop -- gen_context(system_u:object_r:systemd_cgtop_exec_t,s0) > /usr/bin/systemd-coredump -- gen_context(system_u:object_r:systemd_coredump_exec_t,s0) > /usr/bin/systemd-detect-virt -- gen_context(system_u:object_r:systemd_detect_virt_exec_t,s0) > Index: refpolicy-2.20210908/policy/modules/system/systemd.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/systemd.te > +++ refpolicy-2.20210908/policy/modules/system/systemd.te > @@ -392,10 +392,11 @@ ifdef(`enable_mls',` > # > > allow systemd_coredump_t self:unix_dgram_socket { create write connect getopt setopt }; > -allow systemd_coredump_t self:capability { setgid setuid setpcap }; > +allow systemd_coredump_t self:capability { dac_override dac_read_search setgid setuid setpcap sys_ptrace }; > allow systemd_coredump_t self:process { getcap setcap setfscreate }; > > manage_files_pattern(systemd_coredump_t, systemd_coredump_var_lib_t, systemd_coredump_var_lib_t) > +allow systemd_coredump_t systemd_coredump_var_lib_t:file map; > > kernel_domtrans_to(systemd_coredump_t, systemd_coredump_exec_t) > kernel_read_kernel_sysctls(systemd_coredump_t) > @@ -413,6 +414,7 @@ files_read_etc_files(systemd_coredump_t) > files_search_var_lib(systemd_coredump_t) > > fs_getattr_xattr_fs(systemd_coredump_t) > +fs_search_tmpfs(systemd_coredump_t) > > selinux_getattr_fs(systemd_coredump_t) > > @@ -434,6 +436,8 @@ allow systemd_generator_t self:fifo_file > allow systemd_generator_t self:capability dac_override; > allow systemd_generator_t self:process setfscreate; > > +allow systemd_generator_t systemd_unit_t:file getattr; > + > corecmd_exec_shell(systemd_generator_t) > corecmd_getattr_bin_files(systemd_generator_t) > > @@ -445,6 +449,7 @@ files_read_etc_files(systemd_generator_t > files_search_runtime(systemd_generator_t) > files_list_boot(systemd_generator_t) > files_read_boot_files(systemd_generator_t) > +files_read_config_files(systemd_generator_t) > files_search_all_mountpoints(systemd_generator_t) > files_list_usr(systemd_generator_t) > > @@ -453,6 +458,8 @@ fs_getattr_cgroup(systemd_generator_t) > fs_getattr_xattr_fs(systemd_generator_t) > > init_create_runtime_files(systemd_generator_t) > +init_read_all_script_files(systemd_generator_t) > +init_getattr_all_unit_files(systemd_generator_t) > init_manage_runtime_dirs(systemd_generator_t) > init_manage_runtime_symlinks(systemd_generator_t) > init_read_runtime_files(systemd_generator_t) > @@ -943,6 +950,9 @@ allow systemd_nspawn_t self:capability { > allow systemd_nspawn_t self:capability2 wake_alarm; > allow systemd_nspawn_t self:unix_dgram_socket connected_socket_perms; > allow systemd_nspawn_t self:unix_stream_socket create_stream_socket_perms; > +allow systemd_nspawn_t self:netlink_route_socket create_netlink_socket_perms; > +allow systemd_nspawn_t self:netlink_generic_socket create_socket_perms; > +allow systemd_nspawn_t self:udp_socket { create ioctl }; > > allow systemd_nspawn_t systemd_journal_t:dir search; > > @@ -979,6 +989,9 @@ dev_getattr_fs(systemd_nspawn_t) > dev_manage_sysfs_dirs(systemd_nspawn_t) > dev_mounton_sysfs_dirs(systemd_nspawn_t) > dev_mount_sysfs(systemd_nspawn_t) > +dev_remount_sysfs(systemd_nspawn_t) > +dev_unmount_sysfs(systemd_nspawn_t) > +dev_read_sysfs(systemd_nspawn_t) > dev_read_rand(systemd_nspawn_t) > dev_read_urand(systemd_nspawn_t) > > @@ -991,6 +1004,7 @@ files_mounton_tmp(systemd_nspawn_t) > files_read_kernel_symbol_table(systemd_nspawn_t) > files_setattr_runtime_dirs(systemd_nspawn_t) > > +fs_getattr_cgroup(systemd_nspawn_t) > fs_getattr_tmpfs(systemd_nspawn_t) > fs_manage_tmpfs_chr_files(systemd_nspawn_t) > fs_mount_tmpfs(systemd_nspawn_t) > @@ -1014,6 +1028,7 @@ init_write_runtime_socket(systemd_nspawn > init_spec_domtrans_script(systemd_nspawn_t) > > miscfiles_manage_localization(systemd_nspawn_t) > +udev_read_runtime_files(systemd_nspawn_t) > > # for writing inside chroot > sysnet_manage_config(systemd_nspawn_t) > @@ -1030,8 +1045,14 @@ tunable_policy(`systemd_nspawn_labeled_n > # manage etc symlinks for /etc/localtime > files_manage_etc_symlinks(systemd_nspawn_t) > files_mounton_runtime_dirs(systemd_nspawn_t) > + files_mounton_kernel_symbol_table(systemd_nspawn_t) > files_search_home(systemd_nspawn_t) > > + files_tmp_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, fifo_file) > + allow systemd_nspawn_t systemd_nspawn_runtime_t:fifo_file manage_fifo_file_perms; > + fs_tmpfs_filetrans(systemd_nspawn_t, systemd_nspawn_runtime_t, sock_file) > + allow systemd_nspawn_t systemd_nspawn_runtime_t:sock_file manage_sock_file_perms; > + > fs_getattr_cgroup(systemd_nspawn_t) > fs_manage_cgroup_dirs(systemd_nspawn_t) > fs_manage_tmpfs_dirs(systemd_nspawn_t) > @@ -1049,6 +1070,7 @@ tunable_policy(`systemd_nspawn_labeled_n > selinux_getattr_fs(systemd_nspawn_t) > selinux_remount_fs(systemd_nspawn_t) > selinux_search_fs(systemd_nspawn_t) > + selinux_mounton_fs(systemd_nspawn_t) > > init_domtrans(systemd_nspawn_t) > > @@ -1076,7 +1098,7 @@ optional_policy(` > # systemd_passwd_agent_t local policy > # > > -allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override }; > +allow systemd_passwd_agent_t self:capability { chown sys_tty_config dac_override sys_resource }; > allow systemd_passwd_agent_t self:process { setfscreate setsockcreate signal }; > allow systemd_passwd_agent_t self:unix_dgram_socket create_socket_perms; > > @@ -1087,14 +1109,19 @@ manage_sock_files_pattern(systemd_passwd > manage_fifo_files_pattern(systemd_passwd_agent_t, systemd_passwd_runtime_t, systemd_passwd_runtime_t) > init_runtime_filetrans(systemd_passwd_agent_t, systemd_passwd_runtime_t, { dir fifo_file file }) > > +can_exec(systemd_passwd_agent_t, systemd_passwd_agent_exec_t) > + > kernel_read_system_state(systemd_passwd_agent_t) > kernel_stream_connect(systemd_passwd_agent_t) > > dev_create_generic_dirs(systemd_passwd_agent_t) > dev_read_generic_files(systemd_passwd_agent_t) > +dev_read_sysfs(systemd_passwd_agent_t) > +dev_write_sysfs_dirs(systemd_passwd_agent_t) > dev_write_generic_sock_files(systemd_passwd_agent_t) > dev_write_kmsg(systemd_passwd_agent_t) > > +corecmd_search_bin(systemd_passwd_agent_t) > files_read_etc_files(systemd_passwd_agent_t) > > fs_getattr_xattr_fs(systemd_passwd_agent_t) > @@ -1103,6 +1130,7 @@ selinux_get_enforce_mode(systemd_passwd_ > selinux_getattr_fs(systemd_passwd_agent_t) > > term_read_console(systemd_passwd_agent_t) > +term_use_unallocated_ttys(systemd_passwd_agent_t) > > auth_use_nsswitch(systemd_passwd_agent_t) > > @@ -1161,7 +1189,7 @@ logging_send_syslog_msg(systemd_pstore_t > # Rfkill local policy > # > > -allow systemd_rfkill_t self:netlink_kobject_uevent_socket { bind create getattr read setopt }; > +allow systemd_rfkill_t self:netlink_kobject_uevent_socket create_socket_perms; > > manage_dirs_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) > manage_files_pattern(systemd_rfkill_t, systemd_rfkill_var_lib_t, systemd_rfkill_var_lib_t) > @@ -1346,6 +1374,8 @@ allow systemd_tmpfiles_t systemd_tmpfile > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:dir search_dir_perms; > allow systemd_tmpfiles_t systemd_tmpfiles_conf_type:file read_file_perms; > > +allow systemd_tmpfiles_t systemd_nspawn_runtime_t:fifo_file unlink; > + > kernel_getattr_proc(systemd_tmpfiles_t) > kernel_read_kernel_sysctls(systemd_tmpfiles_t) > kernel_read_network_state(systemd_tmpfiles_t) > @@ -1617,6 +1647,8 @@ userdom_delete_all_user_runtime_chr_file > userdom_manage_user_tmp_dirs(systemd_user_runtime_dir_t) > userdom_manage_user_tmp_files(systemd_user_runtime_dir_t) > > +userdom_delete_user_tmp_dirs(systemd_user_runtime_dir_t) > +userdom_delete_user_tmp_named_pipes(systemd_user_runtime_dir_t) > userdom_search_user_runtime_root(systemd_user_runtime_dir_t) > userdom_user_runtime_root_filetrans_user_runtime(systemd_user_runtime_dir_t, dir) > userdom_manage_user_runtime_dirs(systemd_user_runtime_dir_t) > Index: refpolicy-2.20210908/policy/modules/system/udev.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/udev.te > +++ refpolicy-2.20210908/policy/modules/system/udev.te > @@ -391,6 +391,10 @@ allow udevadm_t udev_runtime_t:dir watch > dev_rw_sysfs(udevadm_t) > dev_read_urand(udevadm_t) > > +fs_getattr_cgroup(udevadm_t) > +fs_getattr_tmpfs(udevadm_t) > +fs_search_cgroup_dirs(udevadm_t) > + > files_read_etc_files(udevadm_t) > files_read_usr_files(udevadm_t) > > Index: refpolicy-2.20210908/policy/modules/system/unconfined.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/unconfined.if > +++ refpolicy-2.20210908/policy/modules/system/unconfined.if > @@ -38,7 +38,7 @@ interface(`unconfined_domain_noaudit',` > > # Use most Linux capabilities > allow $1 self:{ capability cap_userns } { chown dac_override dac_read_search fowner fsetid kill setgid setuid setpcap linux_immutable net_bind_service net_broadcast net_admin net_raw ipc_lock ipc_owner sys_rawio sys_chroot sys_ptrace sys_pacct sys_admin sys_boot sys_nice sys_resource sys_time sys_tty_config mknod lease audit_write audit_control setfcap }; > - allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm }; > + allow $1 self:{ capability2 cap2_userns } { syslog wake_alarm bpf perfmon }; > allow $1 self:fifo_file manage_fifo_file_perms; > > # Transition to myself, to make get_ordered_context_list happy. > Index: refpolicy-2.20210908/policy/modules/system/unconfined.te > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/unconfined.te > +++ refpolicy-2.20210908/policy/modules/system/unconfined.te > @@ -84,6 +84,10 @@ optional_policy(` > ') > > optional_policy(` > + certbot_run(unconfined_t, unconfined_r) > +') > + > +optional_policy(` > cron_unconfined_role(unconfined_r, unconfined_t) > ') > > Index: refpolicy-2.20210908/policy/support/obj_perm_sets.spt > =================================================================== > --- refpolicy-2.20210908.orig/policy/support/obj_perm_sets.spt > +++ refpolicy-2.20210908/policy/support/obj_perm_sets.spt > @@ -142,6 +142,7 @@ define(`manage_dir_perms',`{ create open > define(`relabelfrom_dir_perms',`{ getattr relabelfrom }') > define(`relabelto_dir_perms',`{ getattr relabelto }') > define(`relabel_dir_perms',`{ getattr relabelfrom relabelto }') > +define(`mounton_dir_perms',`{ getattr mounton }') > > # > # Regular file (file) > @@ -169,6 +170,7 @@ define(`manage_file_perms',`{ create ope > define(`relabelfrom_file_perms',`{ getattr relabelfrom }') > define(`relabelto_file_perms',`{ getattr relabelto }') > define(`relabel_file_perms',`{ getattr relabelfrom relabelto }') > +define(`mounton_file_perms',`{ getattr mounton }') > > # > # Symbolic link (lnk_file) > Index: refpolicy-2.20210908/policy/modules/system/lvm.if > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/system/lvm.if > +++ refpolicy-2.20210908/policy/modules/system/lvm.if > @@ -61,6 +61,7 @@ interface(`lvm_run',` > > lvm_domtrans($1) > role $2 types lvm_t; > + allow $1 lvm_t:sem rw_sem_perms; > ') > > ######################################## > Index: refpolicy-2.20210908/policy/modules/kernel/corenetwork.if.in > =================================================================== > --- refpolicy-2.20210908.orig/policy/modules/kernel/corenetwork.if.in > +++ refpolicy-2.20210908/policy/modules/kernel/corenetwork.if.in > @@ -1422,10 +1422,10 @@ interface(`corenet_udp_bind_generic_port > # > interface(`corenet_tcp_connect_generic_port',` > gen_require(` > - type port_t; > + type port_t, unreserved_port_t; > ') > > - allow $1 port_t:tcp_socket name_connect; > + allow $1 { port_t unreserved_port_t }:tcp_socket name_connect; > ') > > ######################################## I'm a bit dubious on this, but if we make this change, it should be reflected in all of the other generic_port interfaces. I think I'm ok with the rule changes otherwise; however, I'll wait on this due to the mounton questions in your other patch. -- Chris PeBenito