Received: by 2002:a05:6359:c8b:b0:c7:702f:21d4 with SMTP id go11csp144863rwb; Mon, 26 Sep 2022 16:14:27 -0700 (PDT) X-Google-Smtp-Source: AMsMyM5ZAhAZCIqbgn353cCZS8hNV6LKRKsWlUEOQNCte3PD76ELw4c+0Pb9OCTEYLR5ubn8ylI+ X-Received: by 2002:a17:903:2290:b0:178:48b6:f57c with SMTP id b16-20020a170903229000b0017848b6f57cmr23864083plh.78.1664234067404; Mon, 26 Sep 2022 16:14:27 -0700 (PDT) ARC-Seal: i=2; a=rsa-sha256; t=1664234067; cv=pass; d=google.com; s=arc-20160816; b=oZdj8QuiYmUp2rVV3McWuzRBsNzozcX04sKWkg073hW+F+4EN0sStCvrdoAWp8czT0 Ez9JgN6/Sms+aKgmVQZo0aZI09nHNnh2BkeI2UbGgRIXVHdWF568ehWVlgwURaa88AeX XF+YKXYSJgMV3LMwF/Fnoy3KbhFb7xbq8NSl+HTOWL6ixbQDEv9F3U7ikR7cGanzNK8g qCb/tpBnOq2KSLJXR+NLrDMLwIo8pwkRSU+Oi7G/XY6jw3FoTybG9zusY/tngqZajbFO rT0HUIkHm7rk+40fnHqh5LOT33RmiqrvuAeeORmFdBkIqEj+LyT0xhCYscWEsoXr+sks 6Nxw== ARC-Message-Signature: i=2; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:mime-version:content-transfer-encoding :msip_labels:content-language:accept-language:in-reply-to:references :message-id:date:thread-index:thread-topic:subject:cc:to:from :dkim-signature; bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=; b=ngUdv9zDijlyPVn00jhpcZj+q7FhrSD5mxWHGCYAZ5c7fc3+3lX7ktvQXhRFA9zIGu Fk2ci+qK4JmcDAZfbFt8EECk+gBzlErQbnfvwBORCsQZH8LnU8Z6rZiDb1iHGv+MGL+7 b+tOrnuwKTMWFQPHZe1y+E5+zBMRhjKubJUjgqZz09XfGKDpbMb+ZXEGerRTzf8jRSt1 ca5SFgMpM3a/Uq54BCwYJmqCJXT/sr+uvDYJFWLDkgYbPSpVol5KXtQ0GRFKQjOnMYlc JaURf3HeJ4L/1wT1cMuTql08K+jo09BMYCqKw0PwAtfkmoMR3PK6pssWNKgu2zLFgtZB 9eKg== ARC-Authentication-Results: i=2; mx.google.com; dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b="M/GQZaKc"; arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com); spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=owlcyberdefense.com Return-Path: Received: from out1.vger.email (out1.vger.email. [2620:137:e000::1:20]) by mx.google.com with ESMTP id pg3-20020a17090b1e0300b002006f9dc2e1si64686pjb.3.2022.09.26.16.14.21; Mon, 26 Sep 2022 16:14:27 -0700 (PDT) Received-SPF: pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) client-ip=2620:137:e000::1:20; Authentication-Results: mx.google.com; dkim=pass header.i=@owlcyberdefense.com header.s=selector1 header.b="M/GQZaKc"; arc=pass (i=1 spf=pass spfdomain=owlcyberdefense.com dkim=pass dkdomain=owlcyberdefense.com dmarc=pass fromdomain=owlcyberdefense.com); spf=pass (google.com: domain of selinux-refpolicy-owner@vger.kernel.org designates 2620:137:e000::1:20 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=owlcyberdefense.com Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S229706AbiIZWm2 (ORCPT + 21 others); Mon, 26 Sep 2022 18:42:28 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:33446 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S229605AbiIZWm1 (ORCPT ); Mon, 26 Sep 2022 18:42:27 -0400 Received: from NAM12-MW2-obe.outbound.protection.outlook.com (mail-mw2nam12on2092.outbound.protection.outlook.com [40.107.244.92]) by lindbergh.monkeyblade.net (Postfix) with ESMTPS id 069DF3BC7F for ; Mon, 26 Sep 2022 15:42:26 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=irg+viyy5LQg1vVApOpnrqbVgeL3g1WWVVgBmFruZ9JQL4xRHPGXgjL8CPqeANUgwbOVLXSVDNKsWpQz+C35tMX8pMEcOf0LXM9ADKcoOVek4c4/fJ65XEO9pXyR5X1LZOWMseHq1CIkEVT36YMBZrv3K1F9VD6rqTVYqtl8AMtkVTIy2b5K01e1M0o8Qi1DE7GBjpMlGBZqqMLhet+Uw+F+YaCrKOR0tePibSt2w6rkeGxrNLKGHwxcPEiyu7Pj/lEE5aIfQbSgACcSfjpJKv1j+HRHWCMWyrG9s3+FIgpZ0tVQdPBAWV3nEBZ1LxAWtPAXqHQxgtaIzGyGvYhXjQ== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=; b=lcwgl99wikUXXfukUMmQ+E+cFsP9RTBZib5uP1ERvEACfXNSGLaI7CO1bPAGKcikPW+Y8Xd+zQXviRJ7dMxiYcnNQy15YBVMvqWRjA8Dr3+ujh2gHGTl8fwNmCxCxukLEVFSfDK0eKr7pPcAVKwttdLo2zyxPAxtu/IBQLQEgVSD6HGInOwAu9jTBeEUIgmVrMbRDopoaeDobktxbNaWZbrRez2lJ/UvEtVA1ueJcX0X5VyW5XRQplknWrX/aEvjF6MRBrFuLs7R4JFc5Ac6h+cDuoGZ8K2nPoN4G+urwf1819G4zehhqtXqUxmvHYXT7oMl7B92NSYfA6eKgD/P+Q== ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=owlcyberdefense.com; dmarc=pass action=none header.from=owlcyberdefense.com; dkim=pass header.d=owlcyberdefense.com; arc=none DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=owlcyberdefense.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=+9R1AFAlF+aQyTAyyQ7C8V7TY8U2WuWaopsieLZLwGY=; b=M/GQZaKcDdPh0dyiDL4BUQJ6JOSgTYBah7CZjv7GgDFc+YWXKz8UqkR8VYhDf+D0aKZ/lWUQMpEUw48K/d+0UFK0rUrE3VZ1JMoGas6F3j2tIYLuRTVF+PoeGCRDYWBWNW/jjzjogPrHENHA006+w/J3wpP2xdc277GMMYSpiUw= Received: from BLAPR15MB3764.namprd15.prod.outlook.com (2603:10b6:208:27e::13) by CH2PR15MB3733.namprd15.prod.outlook.com (2603:10b6:610:d::27) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.5654.24; Mon, 26 Sep 2022 22:42:22 +0000 Received: from BLAPR15MB3764.namprd15.prod.outlook.com ([fe80::1d19:a50e:bf36:19e0]) by BLAPR15MB3764.namprd15.prod.outlook.com ([fe80::1d19:a50e:bf36:19e0%4]) with mapi id 15.20.5654.026; Mon, 26 Sep 2022 22:42:22 +0000 From: "Sugar, David" To: Russell Coker CC: "selinux-refpolicy@vger.kernel.org" Subject: Re: [PATCH] misc strict patches Thread-Topic: [PATCH] misc strict patches Thread-Index: AQHY0OeV83Iqzz39AkGaX9b8YuIC+K3yT2LO Date: Mon, 26 Sep 2022 22:42:22 +0000 Message-ID: References: In-Reply-To: Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: msip_labels: authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=owlcyberdefense.com; x-ms-publictraffictype: Email x-ms-traffictypediagnostic: BLAPR15MB3764:EE_|CH2PR15MB3733:EE_ x-ms-office365-filtering-correlation-id: 025c1dbf-d651-4c07-d4a5-08daa0106067 x-ms-exchange-senderadcheck: 1 x-ms-exchange-antispam-relay: 0 x-microsoft-antispam: BCL:0; x-microsoft-antispam-message-info: AkLNzXhOcr943kCUgdiuIm9nBBrUhwXPozWt2CyKJIp+ttfBJY+F9eDpbmSXB8FWsKzMIx/MZX0QnYxvGMYKaviPnpH28F8h/Legccb11Z9QIIHTO12BO0kkSYIaBv0hgJG8vb8Ez/iXh5NqzWlm9JfBEIsiYhEkW9Ub+LkvZ02ehW+fgtHoXknW1mXF4MUJSoBoDieo7LsuDX0PEX4v9oOIk7M6lmuoHfXtT7/2K1YQeXXerybV8xeQNdh/52v3UxyAuGzIS1H/USUT/A9N/NduuClVPEuCUDP4TVgpZB02fadghEqOXXFdKXDzLbpfEIdgL4TZHiW1FBFvqynys7zx4ANH5ghgIb8vYW2Vx3wsJZWfevS/yeoP1vKLTMSrAnzg8DroG+Du88386G7LWT5x6fy48+kEzD7hKiSOEQPq4wilnA58i0UNxwkZATK23oHG5wIxDPYc9npEVhImpu1KjAm1CyCF8E4JsCJJ5PV4uZoSm8yVCpj4iw8loEr2GKZFfplmkS9L2A9J/k8jRm+jABgUUr67J3XZq7Gzes2HD5BJNmMRTwlPK6VVQQMM6+CrBxsXjDoQdEB/ZxLYNFtzQ7+QR3vxa7QnCZ3VLR01PSlDAbwlwmoWa3Z0FIobNog5h1SSJyxEDaBEUcWjAi8hj1JBPwLa3pqCH6AXpuu4ZCBY8VYgoGvRChjEa59j1icrmpfjogN4ESf7C+8LeQ== x-forefront-antispam-report: CIP:255.255.255.255;CTRY:;LANG:en;SCL:1;SRV:;IPV:NLI;SFV:NSPM;H:BLAPR15MB3764.namprd15.prod.outlook.com;PTR:;CAT:NONE;SFS:(13230022)(4636009)(346002)(136003)(39840400004)(366004)(396003)(376002)(451199015)(38100700002)(2906002)(52536014)(6506007)(66446008)(84970400001)(9686003)(55016003)(26005)(71200400001)(122000001)(6916009)(478600001)(53546011)(38070700005)(8936002)(5660300002)(7696005)(33656002)(41300700001)(186003)(76116006)(66556008)(316002)(66946007)(83380400001)(66476007)(64756008)(86362001)(4326008)(8676002);DIR:OUT;SFP:1102; x-ms-exchange-antispam-messagedata-chunkcount: 1 x-ms-exchange-antispam-messagedata-0: =?iso-8859-1?Q?HnAa7KsVdCILuQNYnSY+CL+m2sXt6zcnv1AD/kRadZmhkVEM2v97r8E9qR?= =?iso-8859-1?Q?o9/ja/tK4+YzxGuVd9nr+VE0wrqHlJkIIrHUy6zeraAXKxdfGcVtfygvTG?= =?iso-8859-1?Q?7w+nSE3Il0ehR2my2TZOv+Nu+Bt8KCCmHRD1eHlpofV6OCu2TX2zvZZlec?= =?iso-8859-1?Q?0Vt/P2Hzr8K9hfgyQCgCCdSbA3HEQn+VCr5O+Sb/0usV18rsdQG5ppbb/e?= =?iso-8859-1?Q?vyTeq8RDAueBaooj9jaot+fquCBBUb+g5mRu3JjyAnGGpOKBkFrG16Xq+C?= =?iso-8859-1?Q?6xp/T5JBEyTgWxyFmHMX6UfPud4kY1D4jBzvizUZ9RSbAdPD1W4/VIEHdi?= =?iso-8859-1?Q?PA1mIrxeP7TEtJVXummWlK6J45FexZStuZkEIJ9asRsLPAUEwes2+NFzX6?= =?iso-8859-1?Q?IqIyi3j/gOorfsmXBb2xZfBw4MNdy7+hK8massSVO/V8Ahcu7zNOkQlxEP?= =?iso-8859-1?Q?iKY2CD/VeqLwkbTwXs+JqMTc/oskfUF08xpL69/qfaAxr30JzoWe2/jW8V?= =?iso-8859-1?Q?2JKHOnXdtnuMNTAxrt7sQF4oeCGBAN/4FzaXgrbgtmZ4RkQqBQ66A3aJKR?= =?iso-8859-1?Q?8uUV3E2lcwnCkeKmLKvOqeH2jjkJ2ced2nflRXd8aw9UOy4RPEOsbz9cdT?= =?iso-8859-1?Q?1krfQoHTHroPbkGvQyn8bX7dUHMLVW124xnD+zxlS3azC5tb1ffvNUw77q?= =?iso-8859-1?Q?c6ETReJMMNkqgyRgECJBMx49Ouz/R2SOinHoNG+0L5EE3vdaeexp3JA6GC?= =?iso-8859-1?Q?aX4CL939i4sNATqvaU3DwTzWyd3my2g5FuQ+RB///KM2q/VMPPcL8v64GO?= =?iso-8859-1?Q?1Ir4hJTDkbTGZf1SSrxPhe6Ph47lg7+ijtTU8tGwcAmZt1lUWLhoZ0lr7v?= =?iso-8859-1?Q?a+MsXh21iqnuNzoCB84qm3w2VhEI3n94DMiSA9T6TWxx41kVEQKDPdIH1r?= =?iso-8859-1?Q?0TV3JrQe1pcsLOsSqRqzT0B2I4GaHJUS78qHMMNN7A9kW6hhUEKzxjQLRS?= =?iso-8859-1?Q?NuGaK7H+Y2i7z6LkIHwsxNhl+7HMM5rFBrTY0dz8TfSaJyC29KeNUyTseG?= =?iso-8859-1?Q?77yKBs+2By/errTOMhvWHRZXcGY9/Tp9qnIqdEh+BlfGf2T14pudYzQVkv?= =?iso-8859-1?Q?22DBs4GWMcUcuLp4dI53tdgkLw+Kk0e/jSVkJebZHZF6jxkMsW4P5LoUXG?= =?iso-8859-1?Q?13qzr+bWTBkLmurclebnCCj0cpfxLtZnVwXgqlT+OE7Sr8bOSUSkax0GK9?= =?iso-8859-1?Q?AwhjIq3Uf2HFdU/VBgW6IH9jywY4B8yIiX/1zUsvsd7+MjNwYdrmYjPNrH?= =?iso-8859-1?Q?13LD7X98XWff12hFp4oQrcX2cyqiApbvvcKYC3rfOVf9cMSCtnk/Y2rQMG?= =?iso-8859-1?Q?ZUTwoI9ji+lgCuDg8IPnymyNN3vRD6Rj+MgqX4dMJLXO82zRZ5QJTlLd1X?= =?iso-8859-1?Q?w6TUza3hfrhn1sBiwsSPwlks3Mdmp9KdAGvva0my93KSVss+2diGOZB+3c?= =?iso-8859-1?Q?TfmJfA1fw8ziW7ajz4sMftk/LQRvoFbmIQMdvaSdMEyO6qt50yYKn+zvxC?= =?iso-8859-1?Q?+3htSY7XW05JSxKF1eLz+3D+zVCCw9kov9osCIqE5XT6NEY2nsYVCJo55X?= =?iso-8859-1?Q?HX2SDlMrATyCV5/NIz7Z180R4FbK4qoHx3UOQO4FgO4N8FEOE7ZuwepA?= =?iso-8859-1?Q?=3D=3D?= Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: owlcyberdefense.com X-MS-Exchange-CrossTenant-AuthAs: Internal X-MS-Exchange-CrossTenant-AuthSource: BLAPR15MB3764.namprd15.prod.outlook.com X-MS-Exchange-CrossTenant-Network-Message-Id: 025c1dbf-d651-4c07-d4a5-08daa0106067 X-MS-Exchange-CrossTenant-originalarrivaltime: 26 Sep 2022 22:42:22.3528 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-id: a0d45667-6c07-4e88-868f-4ac9af95c7ed X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-userprincipalname: 4EGiTL4YQAHEGnbsTn+aFoqpvO8EKwRPiVjSeX+VGQsVAPR5mSZbGDtGWyIiXYQHejWaL1eLH5X4jm7xQPCQJ2VQ2FOTKlLOIL+PM07BMgc= X-MS-Exchange-Transport-CrossTenantHeadersStamped: CH2PR15MB3733 X-Spam-Status: No, score=-2.1 required=5.0 tests=BAYES_00,DKIM_SIGNED, DKIM_VALID,DKIM_VALID_AU,DKIM_VALID_EF,RCVD_IN_DNSWL_NONE, RCVD_IN_MSPIKE_H2,SPF_HELO_PASS,SPF_PASS autolearn=ham autolearn_force=no version=3.4.6 X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on lindbergh.monkeyblade.net Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org Russel,=0A= =0A= kernel_read_crypto_sysctls was added to domain.te a week or so ago (6ff1259= 688e8dad630e815ec2e384be1c2fedbf1), it shouldn't be needed in=A0userdom_bas= e_user_template at this point.=0A= =0A= Dave =0A= =0A= =0A= =0A= =0A= From: Russell Coker =0A= Sent: Sunday, September 25, 2022 9:57 AM=0A= To: selinux-refpolicy@vger.kernel.org = =0A= Subject: [PATCH] misc strict patches =0A= =A0=0A= Some misc patches to make things work in a "strict" configuration.=0A= =0A= Allow base user domains to read crypto and vm overcommit status.=0A= =0A= Allow pulseaudio to write all user_runtime_content_type named sockets.=0A= =0A= Allow sysadm_t to read/write netlink_generic_socket, read=0A= netlink_tcpdiag_socket, have audit_write capability, get schedulint data,= =0A= get systemd unit status, talk to logind via dbus, and have direct USB acces= s.=0A= =0A= Allow the xserver_role domains to accept a unix_stream_socket from xdm_t an= d=0A= map xkb_var_lib_t.=0A= =0A= Add extra access to the $1_dbusd_t domains.=0A= =0A= Allow the ssh agent to write to an inherited xsession log.=0A= =0A= Removed the domain systemd_analyze_t, all it's doing is talking to systemd= =0A= and formatting the output it gets.=0A= =0A= Allow system_cronjob_t to read fs sysctls, and allow ntpd_t to get generic= =0A= units status.=0A= =0A= I think this is ready to merge.=0A= =0A= Signed-off-by: Russell Coker =0A= =0A= Index: refpolicy-2.20220925/policy/modules/system/userdomain.if=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/system/userdomain.if=0A= +++ refpolicy-2.20220925/policy/modules/system/userdomain.if=0A= @@ -69,6 +69,8 @@ template(`userdom_base_user_template',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 dontaudit $1_t user_tty_device_t:chr_file ioctl;= =0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 kernel_read_kernel_sysctls($1_t)=0A= +=A0=A0=A0=A0=A0=A0 kernel_read_crypto_sysctls($1_t)=0A= +=A0=A0=A0=A0=A0=A0 kernel_read_vm_overcommit_sysctl($1_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_list_unlabeled($1_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_getattr_unlabeled_files($1_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 kernel_dontaudit_getattr_unlabeled_symlinks($1_t)= =0A= @@ -3664,6 +3666,25 @@ interface(`userdom_relabelfrom_user_runt=0A= =A0')=0A= =A0=0A= =A0########################################=0A= +## =0A= +##=A0=A0=A0=A0 write user runtime socket files=0A= +## =0A= +## =0A= +##=A0=A0=A0=A0 =0A= +##=A0=A0=A0=A0 Domain allowed access.=0A= +##=A0=A0=A0=A0 =0A= +## =0A= +#=0A= +interface(`userdom_write_all_user_runtime_named_sockets',`=0A= +=A0=A0=A0=A0=A0=A0 gen_require(`=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 attribute user_runtime_content_= type;=0A= +=A0=A0=A0=A0=A0=A0 ')=0A= +=0A= +=A0=A0=A0=A0=A0=A0 allow $1 user_runtime_content_type:dir list_dir_perms;= =0A= +=A0=A0=A0=A0=A0=A0 allow $1 user_runtime_content_type:sock_file write;=0A= +')=0A= +=0A= +########################################=0A= =A0## =0A= =A0##=A0=A0=A0=A0=A0 delete user runtime files=0A= =A0## =0A= Index: refpolicy-2.20220925/policy/modules/roles/sysadm.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/roles/sysadm.te=0A= +++ refpolicy-2.20220925/policy/modules/roles/sysadm.te=0A= @@ -33,11 +33,22 @@ ifndef(`enable_mls',`=0A= =A0# Local policy=0A= =A0#=0A= =A0=0A= +allow sysadm_t self:netlink_generic_socket { create setopt bind write read= };=0A= +=0A= +# for ptrace=0A= +allow sysadm_t self:netlink_tcpdiag_socket { create write nlmsg_read read = };=0A= +=0A= +allow sysadm_t self:capability audit_write;=0A= +allow sysadm_t self:system status;=0A= +=0A= =A0corecmd_exec_shell(sysadm_t)=0A= =A0=0A= =A0corenet_ib_access_unlabeled_pkeys(sysadm_t)=0A= =A0corenet_ib_manage_subnet_unlabeled_endports(sysadm_t)=0A= =A0=0A= +domain_getsched_all_domains(sysadm_t)=0A= +=0A= +dev_read_cpuid(sysadm_t)=0A= =A0dev_read_kmsg(sysadm_t)=0A= =A0dev_rw_ipmi_dev(sysadm_t)=0A= =A0=0A= @@ -59,6 +70,9 @@ init_admin(sysadm_t)=0A= =A0userdom_manage_user_home_dirs(sysadm_t)=0A= =A0userdom_home_filetrans_user_home_dir(sysadm_t)=0A= =A0=0A= +# for systemd-analyze=0A= +files_get_etc_unit_status(sysadm_t)=0A= +=0A= =A0ifdef(`direct_sysadm_daemon',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 init_run_daemon(sysadm_t, = sysadm_r)=0A= @@ -1049,6 +1063,10 @@ optional_policy(`=0A= =A0')=0A= =A0=0A= =A0optional_policy(`=0A= +=A0=A0=A0=A0=A0=A0 systemd_dbus_chat_logind(sysadm_t)=0A= +')=0A= +=0A= +optional_policy(`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 tboot_run_txtstat(sysadm_t, sysadm_r)=0A= =A0')=0A= =A0=0A= @@ -1116,6 +1134,7 @@ optional_policy(`=0A= =A0')=0A= =A0=0A= =A0optional_policy(`=0A= +=A0=A0=A0=A0=A0=A0 dev_rw_generic_usb_dev(sysadm_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 usbmodules_run(sysadm_t, sysadm_r)=0A= =A0')=0A= =A0=0A= Index: refpolicy-2.20220925/policy/modules/services/xserver.if=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/services/xserver.if=0A= +++ refpolicy-2.20220925/policy/modules/services/xserver.if=0A= @@ -111,6 +111,7 @@ template(`xserver_restricted_role',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_xsession_entry_type($2)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_dontaudit_write_log($2)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_stream_connect_xdm($2)=0A= +=A0=A0=A0=A0=A0=A0 xserver_use_user_fonts($2)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 # certain apps want to read xdm.pid file=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_read_xdm_runtime_files($2)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 # gnome-session creates socket under /tmp/.ICE-uni= x/=0A= @@ -169,7 +170,7 @@ template(`xserver_role',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 gen_require(`=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type iceauth_home_t, xserv= er_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type user_fonts_t, user_fo= nts_cache_t, user_fonts_config_t;=0A= -=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type mesa_shader_cache_t;=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 type mesa_shader_cache_t, xdm_t= ;=0A= =A0=A0=A0=A0=A0=A0=A0=A0 ')=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_restricted_role($1, $2, $3, $4)=0A= @@ -212,6 +213,8 @@ template(`xserver_role',`=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 xserver_read_xkb_libs($2)=0A= =A0=0A= +=A0=A0=A0=A0=A0=A0 allow $2 xdm_t:unix_stream_socket accept;=0A= +=0A= =A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_app_status($1= , xserver_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 ')=0A= @@ -1256,6 +1259,7 @@ interface(`xserver_read_xkb_libs',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow $1 xkb_var_lib_t:dir list_dir_perms;=0A= =A0=A0=A0=A0=A0=A0=A0=A0 read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_= t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_= lib_t)=0A= +=A0=A0=A0=A0=A0=A0 allow $1 xkb_var_lib_t:file map;=0A= =A0')=0A= =A0=0A= =A0########################################=0A= Index: refpolicy-2.20220925/policy/modules/services/dbus.if=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/services/dbus.if=0A= +++ refpolicy-2.20220925/policy/modules/services/dbus.if=0A= @@ -85,6 +85,7 @@ template(`dbus_role_template',`=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:unix_stream_socket connectto;= =0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };= =0A= +=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t $3:dbus send_msg;=0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow $3 $1_dbusd_t:fd use;=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 dontaudit $1_dbusd_t self:process getcap;=0A= @@ -105,9 +106,13 @@ template(`dbus_role_template',`=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t $3:process sigkill;=0A= =A0=0A= +=A0=A0=A0=A0=A0=A0 allow $1_dbusd_t self:process getcap;=0A= +=0A= =A0=A0=A0=A0=A0=A0=A0=A0 corecmd_bin_domtrans($1_dbusd_t, $3)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 corecmd_shell_domtrans($1_dbusd_t, $3)=0A= =A0=0A= +=A0=A0=A0=A0=A0=A0 dev_read_sysfs($1_dbusd_t)=0A= +=0A= =A0=A0=A0=A0=A0=A0=A0=A0 auth_use_nsswitch($1_dbusd_t)=0A= =A0=0A= =A0=A0=A0=A0=A0=A0=A0=A0 optional_policy(`=0A= @@ -115,6 +120,15 @@ template(`dbus_role_template',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_daemon_domain= ($1, dbusd_exec_t, $1_dbusd_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 systemd_user_unix_stream_a= ctivated_socket($1_dbusd_t, session_dbusd_runtime_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 ')=0A= +=0A= +=A0=A0=A0=A0=A0=A0 optional_policy(`=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 init_dbus_chat($1_dbusd_t)=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 dbus_system_bus_client($1_dbusd= _t)=0A= +=A0=A0=A0=A0=A0=A0 ')=0A= +=0A= +=A0=A0=A0=A0=A0=A0 optional_policy(`=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xdg_read_data_files($1_dbusd_t)= =0A= +=A0=A0=A0=A0=A0=A0 ')=0A= =A0')=0A= =A0=0A= =A0#######################################=0A= Index: refpolicy-2.20220925/policy/modules/services/ssh.if=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/services/ssh.if=0A= +++ refpolicy-2.20220925/policy/modules/services/ssh.if=0A= @@ -470,6 +470,7 @@ template(`ssh_role_template',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_use_xdm_fds($1_ssh= _agent_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_rw_xdm_pipes($1_ss= h_agent_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_sigchld_xdm($1_ssh= _agent_t)=0A= +=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0=A0 xserver_write_inherited_xsessio= n_log($1_ssh_agent_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 ')=0A= =A0')=0A= =A0=0A= Index: refpolicy-2.20220925/policy/modules/kernel/corecommands.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/kernel/corecommands.te=0A= +++ refpolicy-2.20220925/policy/modules/kernel/corecommands.te=0A= @@ -13,7 +13,7 @@ attribute exec_type;=0A= =A0#=0A= =A0# bin_t is the type of files in the system bin/sbin directories.=0A= =A0#=0A= -type bin_t alias { ls_exec_t sbin_t };=0A= +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };=0A= =A0typealias bin_t alias { systemd_detect_virt_t systemd_run_exec_t };=0A= =A0corecmd_executable_file(bin_t)=0A= =A0dev_associate(bin_t)=A0=A0=A0 #For /dev/MAKEDEV=0A= Index: refpolicy-2.20220925/policy/modules/system/systemd.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/system/systemd.te=0A= +++ refpolicy-2.20220925/policy/modules/system/systemd.te=0A= @@ -64,10 +64,6 @@ type systemd_activate_t;=0A= =A0type systemd_activate_exec_t;=0A= =A0init_system_domain(systemd_activate_t, systemd_activate_exec_t)=0A= =A0=0A= -type systemd_analyze_t;=0A= -type systemd_analyze_exec_t;=0A= -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)=0A= -=0A= =A0type systemd_backlight_t;=0A= =A0type systemd_backlight_exec_t;=0A= =A0init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)=0A= @@ -1695,6 +1691,7 @@ tunable_policy(`systemd_tmpfiles_manage_=0A= =A0')=0A= =A0=0A= =A0optional_policy(`=0A= +=A0=A0=A0=A0=A0=A0 dbus_manage_lib_files(systemd_tmpfiles_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 dbus_read_lib_files(systemd_tmpfiles_t)=0A= =A0=A0=A0=A0=A0=A0=A0=A0 dbus_relabel_lib_dirs(systemd_tmpfiles_t)=0A= =A0')=0A= Index: refpolicy-2.20220925/policy/modules/services/cron.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/services/cron.te=0A= +++ refpolicy-2.20220925/policy/modules/services/cron.te=0A= @@ -483,6 +483,7 @@ allow system_cronjob_t crond_tmp_t:file=0A= =A0kernel_getattr_core_if(system_cronjob_t)=0A= =A0kernel_getattr_message_if(system_cronjob_t)=0A= =A0=0A= +kernel_read_fs_sysctls(system_cronjob_t)=0A= =A0kernel_read_irq_sysctls(system_cronjob_t)=0A= =A0kernel_read_kernel_sysctls(system_cronjob_t)=0A= =A0kernel_read_network_state(system_cronjob_t)=0A= Index: refpolicy-2.20220925/policy/modules/apps/pulseaudio.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/apps/pulseaudio.te=0A= +++ refpolicy-2.20220925/policy/modules/apps/pulseaudio.te=0A= @@ -156,6 +156,7 @@ userdom_search_user_home_content(pulseau=0A= =A0userdom_manage_user_tmp_dirs(pulseaudio_t)=0A= =A0userdom_manage_user_tmp_files(pulseaudio_t)=0A= =A0userdom_manage_user_tmp_sockets(pulseaudio_t)=0A= +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)=0A= =A0=0A= =A0tunable_policy(`pulseaudio_execmem',`=0A= =A0=A0=A0=A0=A0=A0=A0=A0 allow pulseaudio_t self:process execmem;=0A= Index: refpolicy-2.20220925/policy/modules/services/ntp.te=0A= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=0A= --- refpolicy-2.20220925.orig/policy/modules/services/ntp.te=0A= +++ refpolicy-2.20220925/policy/modules/services/ntp.te=0A= @@ -131,6 +131,7 @@ term_use_ptmx(ntpd_t)=0A= =A0auth_use_nsswitch(ntpd_t)=0A= =A0=0A= =A0init_exec_script_files(ntpd_t)=0A= +init_get_generic_units_status(ntpd_t)=0A= =A0=0A= =A0logging_send_syslog_msg(ntpd_t)=0A= =A0=