LinuxLists.cc - strict patch again with controversial sections removed

2020-04-10 06:58:09

Subject: strict patch again with controversial sections removed

Signed-off-by: Russell Coker <[email protected]>

Index: refpolicy-2.20200410/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20200410/policy/modules/system/userdomain.if
@@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
dontaudit $1_t user_tty_device_t:chr_file ioctl;

kernel_read_kernel_sysctls($1_t)
+ kernel_read_crypto_sysctls($1_t)
+ kernel_read_vm_overcommit_sysctl($1_t)
kernel_dontaudit_list_unlabeled($1_t)
kernel_dontaudit_getattr_unlabeled_files($1_t)
kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
Index: refpolicy-2.20200410/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20200410/policy/modules/roles/sysadm.te
@@ -57,6 +57,9 @@ selinux_read_policy(sysadm_t)
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)

+# for systemd-analyze
+files_get_etc_unit_status(sysadm_t)
+
ifdef(`direct_sysadm_daemon',`
optional_policy(`
init_run_daemon(sysadm_t, sysadm_r)
@@ -1119,6 +1122,10 @@ optional_policy(`
')

optional_policy(`
+ systemd_dbus_chat_logind(sysadm_t)
+')
+
+optional_policy(`
tboot_run_txtstat(sysadm_t, sysadm_r)
')

@@ -1186,6 +1193,7 @@ optional_policy(`
')

optional_policy(`
+ dev_rw_generic_usb_dev(sysadm_t)
usbmodules_run(sysadm_t, sysadm_r)
')

Index: refpolicy-2.20200410/policy/modules/services/xserver.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
+++ refpolicy-2.20200410/policy/modules/services/xserver.if
@@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
xserver_xsession_entry_type($2)
xserver_dontaudit_write_log($2)
xserver_stream_connect_xdm($2)
+ xserver_use_user_fonts($2)
# certain apps want to read xdm.pid file
xserver_read_xdm_pid($2)
# gnome-session creates socket under /tmp/.ICE-unix/
@@ -140,7 +141,7 @@ interface(`xserver_role',`
gen_require(`
type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
- type mesa_shader_cache_t;
+ type mesa_shader_cache_t, xdm_t;
')

xserver_restricted_role($1, $2)
@@ -183,6 +184,8 @@ interface(`xserver_role',`

xserver_read_xkb_libs($2)

+ allow $2 xdm_t:unix_stream_socket accept;
+
optional_policy(`
xdg_manage_all_cache($2)
xdg_relabel_all_cache($2)
@@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
allow $1 xkb_var_lib_t:dir list_dir_perms;
read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
+ allow $1 xkb_var_lib_t:file map;
')

########################################
Index: refpolicy-2.20200410/policy/modules/services/dbus.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/dbus.if
+++ refpolicy-2.20200410/policy/modules/services/dbus.if
@@ -84,6 +84,7 @@ template(`dbus_role_template',`

allow $3 $1_dbusd_t:unix_stream_socket connectto;
allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
+ allow $1_dbusd_t $3:dbus send_msg;
allow $3 $1_dbusd_t:fd use;

allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
@@ -99,9 +100,13 @@ template(`dbus_role_template',`

allow $1_dbusd_t $3:process sigkill;

+ allow $1_dbusd_t self:process getcap;
+
corecmd_bin_domtrans($1_dbusd_t, $3)
corecmd_shell_domtrans($1_dbusd_t, $3)

+ dev_read_sysfs($1_dbusd_t)
+
auth_use_nsswitch($1_dbusd_t)

ifdef(`hide_broken_symptoms',`
@@ -109,8 +114,17 @@ template(`dbus_role_template',`
')

optional_policy(`
+ init_dbus_chat($1_dbusd_t)
+ dbus_system_bus_client($1_dbusd_t)
+ ')
+
+ optional_policy(`
systemd_read_logind_pids($1_dbusd_t)
')
+
+ optional_policy(`
+ xdg_read_data_files($1_dbusd_t)
+ ')
')

#######################################
Index: refpolicy-2.20200410/policy/modules/services/ssh.if
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
+++ refpolicy-2.20200410/policy/modules/services/ssh.if
@@ -437,6 +437,7 @@ template(`ssh_role_template',`
xserver_use_xdm_fds($1_ssh_agent_t)
xserver_rw_xdm_pipes($1_ssh_agent_t)
xserver_sigchld_xdm($1_ssh_agent_t)
+ xserver_write_inherited_xsession_log($1_ssh_agent_t)
')
')

Index: refpolicy-2.20200410/policy/modules/kernel/corecommands.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/kernel/corecommands.te
+++ refpolicy-2.20200410/policy/modules/kernel/corecommands.te
@@ -13,7 +13,7 @@ attribute exec_type;
#
# bin_t is the type of files in the system bin/sbin directories.
#
-type bin_t alias { ls_exec_t sbin_t };
+type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
corecmd_executable_file(bin_t)
dev_associate(bin_t) #For /dev/MAKEDEV

Index: refpolicy-2.20200410/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20200410/policy/modules/system/systemd.te
@@ -38,10 +38,6 @@ type systemd_activate_t;
type systemd_activate_exec_t;
init_system_domain(systemd_activate_t, systemd_activate_exec_t)

-type systemd_analyze_t;
-type systemd_analyze_exec_t;
-init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
-
type systemd_backlight_t;
type systemd_backlight_exec_t;
init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
@@ -1259,6 +1255,7 @@ tunable_policy(`systemd_tmpfiles_manage_
')

optional_policy(`
+ dbus_manage_lib_files(systemd_tmpfiles_t)
dbus_read_lib_files(systemd_tmpfiles_t)
dbus_relabel_lib_dirs(systemd_tmpfiles_t)
')
Index: refpolicy-2.20200410/policy/modules/services/cron.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/services/cron.te
+++ refpolicy-2.20200410/policy/modules/services/cron.te
@@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t)
kernel_getattr_message_if(system_cronjob_t)

kernel_read_crypto_sysctls(system_cronjob_t)
+kernel_read_fs_sysctls(system_cronjob_t)
kernel_read_irq_sysctls(system_cronjob_t)
kernel_read_kernel_sysctls(system_cronjob_t)
kernel_read_network_state(system_cronjob_t)
Index: refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
===================================================================
--- refpolicy-2.20200410.orig/policy/modules/apps/pulseaudio.te
+++ refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
@@ -157,6 +157,7 @@ userdom_search_user_home_content(pulseau
userdom_manage_user_tmp_dirs(pulseaudio_t)
userdom_manage_user_tmp_files(pulseaudio_t)
userdom_manage_user_tmp_sockets(pulseaudio_t)
+userdom_write_all_user_runtime_named_sockets(pulseaudio_t)

tunable_policy(`pulseaudio_execmem',`
allow pulseaudio_t self:process execmem;

2020-04-14 16:27:25

by Chris PeBenito

[permalink] [raw]

Subject: Re: strict patch again with controversial sections removed

On 4/10/20 2:57 AM, Russell Coker wrote:
> Signed-off-by: Russell Coker <[email protected]>
>
>
> Index: refpolicy-2.20200410/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20200410/policy/modules/system/userdomain.if
> @@ -68,6 +68,8 @@ template(`userdom_base_user_template',`
> dontaudit $1_t user_tty_device_t:chr_file ioctl;
>
> kernel_read_kernel_sysctls($1_t)
> + kernel_read_crypto_sysctls($1_t)
> + kernel_read_vm_overcommit_sysctl($1_t)
> kernel_dontaudit_list_unlabeled($1_t)
> kernel_dontaudit_getattr_unlabeled_files($1_t)
> kernel_dontaudit_getattr_unlabeled_symlinks($1_t)
> Index: refpolicy-2.20200410/policy/modules/roles/sysadm.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/roles/sysadm.te
> +++ refpolicy-2.20200410/policy/modules/roles/sysadm.te
> @@ -57,6 +57,9 @@ selinux_read_policy(sysadm_t)
> userdom_manage_user_home_dirs(sysadm_t)
> userdom_home_filetrans_user_home_dir(sysadm_t)
>
> +# for systemd-analyze
> +files_get_etc_unit_status(sysadm_t)

Should go up in the init_systemd block.

> ifdef(`direct_sysadm_daemon',`
> optional_policy(`
> init_run_daemon(sysadm_t, sysadm_r)
> @@ -1119,6 +1122,10 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_dbus_chat_logind(sysadm_t)
> +')
> +
> +optional_policy(`
> tboot_run_txtstat(sysadm_t, sysadm_r)
> ')
>
> @@ -1186,6 +1193,7 @@ optional_policy(`
> ')
>
> optional_policy(`
> + dev_rw_generic_usb_dev(sysadm_t)
> usbmodules_run(sysadm_t, sysadm_r)
> ')
>
> Index: refpolicy-2.20200410/policy/modules/services/xserver.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/xserver.if
> +++ refpolicy-2.20200410/policy/modules/services/xserver.if
> @@ -102,6 +102,7 @@ interface(`xserver_restricted_role',`
> xserver_xsession_entry_type($2)
> xserver_dontaudit_write_log($2)
> xserver_stream_connect_xdm($2)
> + xserver_use_user_fonts($2)
> # certain apps want to read xdm.pid file
> xserver_read_xdm_pid($2)
> # gnome-session creates socket under /tmp/.ICE-unix/
> @@ -140,7 +141,7 @@ interface(`xserver_role',`
> gen_require(`
> type iceauth_home_t, xserver_t, xserver_tmp_t, xserver_tmpfs_t, xauth_home_t;
> type user_fonts_t, user_fonts_cache_t, user_fonts_config_t;
> - type mesa_shader_cache_t;
> + type mesa_shader_cache_t, xdm_t;
> ')
>
> xserver_restricted_role($1, $2)
> @@ -183,6 +184,8 @@ interface(`xserver_role',`
>
> xserver_read_xkb_libs($2)
>
> + allow $2 xdm_t:unix_stream_socket accept;
> +
> optional_policy(`
> xdg_manage_all_cache($2)
> xdg_relabel_all_cache($2)
> @@ -1251,6 +1254,7 @@ interface(`xserver_read_xkb_libs',`
> allow $1 xkb_var_lib_t:dir list_dir_perms;
> read_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> read_lnk_files_pattern($1, xkb_var_lib_t, xkb_var_lib_t)
> + allow $1 xkb_var_lib_t:file map;
> ')
>
> ########################################
> Index: refpolicy-2.20200410/policy/modules/services/dbus.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/dbus.if
> +++ refpolicy-2.20200410/policy/modules/services/dbus.if
> @@ -84,6 +84,7 @@ template(`dbus_role_template',`
>
> allow $3 $1_dbusd_t:unix_stream_socket connectto;
> allow $3 $1_dbusd_t:dbus { send_msg acquire_svc };
> + allow $1_dbusd_t $3:dbus send_msg;

Should go down in the next huk with the sigkill line.

> allow $3 $1_dbusd_t:fd use;
>
> allow $3 system_dbusd_t:dbus { send_msg acquire_svc };
> @@ -99,9 +100,13 @@ template(`dbus_role_template',`
>
> allow $1_dbusd_t $3:process sigkill;
>
> + allow $1_dbusd_t self:process getcap;
> +
> corecmd_bin_domtrans($1_dbusd_t, $3)
> corecmd_shell_domtrans($1_dbusd_t, $3)
>
> + dev_read_sysfs($1_dbusd_t)
> +
> auth_use_nsswitch($1_dbusd_t)
>
> ifdef(`hide_broken_symptoms',`
> @@ -109,8 +114,17 @@ template(`dbus_role_template',`
> ')
>
> optional_policy(`
> + init_dbus_chat($1_dbusd_t)
> + dbus_system_bus_client($1_dbusd_t)
> + ')
> +
> + optional_policy(`
> systemd_read_logind_pids($1_dbusd_t)
> ')
> +
> + optional_policy(`
> + xdg_read_data_files($1_dbusd_t)
> + ')
> ')
>
> #######################################
> Index: refpolicy-2.20200410/policy/modules/services/ssh.if
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/ssh.if
> +++ refpolicy-2.20200410/policy/modules/services/ssh.if
> @@ -437,6 +437,7 @@ template(`ssh_role_template',`
> xserver_use_xdm_fds($1_ssh_agent_t)
> xserver_rw_xdm_pipes($1_ssh_agent_t)
> xserver_sigchld_xdm($1_ssh_agent_t)
> + xserver_write_inherited_xsession_log($1_ssh_agent_t)
> ')
> ')
>
> Index: refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/kernel/corecommands.te
> +++ refpolicy-2.20200410/policy/modules/kernel/corecommands.te
> @@ -13,7 +13,7 @@ attribute exec_type;
> #
> # bin_t is the type of files in the system bin/sbin directories.
> #
> -type bin_t alias { ls_exec_t sbin_t };
> +type bin_t alias { ls_exec_t sbin_t systemd_analyze_exec_t };
> corecmd_executable_file(bin_t)
> dev_associate(bin_t) #For /dev/MAKEDEV
>
> Index: refpolicy-2.20200410/policy/modules/system/systemd.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/system/systemd.te
> +++ refpolicy-2.20200410/policy/modules/system/systemd.te
> @@ -38,10 +38,6 @@ type systemd_activate_t;
> type systemd_activate_exec_t;
> init_system_domain(systemd_activate_t, systemd_activate_exec_t)
>
> -type systemd_analyze_t;
> -type systemd_analyze_exec_t;
> -init_daemon_domain(systemd_analyze_t, systemd_analyze_exec_t)
> -
> type systemd_backlight_t;
> type systemd_backlight_exec_t;
> init_system_domain(systemd_backlight_t, systemd_backlight_exec_t)
> @@ -1259,6 +1255,7 @@ tunable_policy(`systemd_tmpfiles_manage_
> ')
>
> optional_policy(`
> + dbus_manage_lib_files(systemd_tmpfiles_t)
> dbus_read_lib_files(systemd_tmpfiles_t)
> dbus_relabel_lib_dirs(systemd_tmpfiles_t)
> ')
> Index: refpolicy-2.20200410/policy/modules/services/cron.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/services/cron.te
> +++ refpolicy-2.20200410/policy/modules/services/cron.te
> @@ -493,6 +493,7 @@ kernel_getattr_core_if(system_cronjob_t)
> kernel_getattr_message_if(system_cronjob_t)
>
> kernel_read_crypto_sysctls(system_cronjob_t)
> +kernel_read_fs_sysctls(system_cronjob_t)
> kernel_read_irq_sysctls(system_cronjob_t)
> kernel_read_kernel_sysctls(system_cronjob_t)
> kernel_read_network_state(system_cronjob_t)
> Index: refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> ===================================================================
> --- refpolicy-2.20200410.orig/policy/modules/apps/pulseaudio.te
> +++ refpolicy-2.20200410/policy/modules/apps/pulseaudio.te
> @@ -157,6 +157,7 @@ userdom_search_user_home_content(pulseau
> userdom_manage_user_tmp_dirs(pulseaudio_t)
> userdom_manage_user_tmp_files(pulseaudio_t)
> userdom_manage_user_tmp_sockets(pulseaudio_t)
> +userdom_write_all_user_runtime_named_sockets(pulseaudio_t)
>
> tunable_policy(`pulseaudio_execmem',`
> allow pulseaudio_t self:process execmem;
>

--
Chris PeBenito