A few simple patches to allow map permission.
Index: refpolicy-2.20180211/policy/modules/system/logging.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/system/logging.te
+++ refpolicy-2.20180211/policy/modules/system/logging.te
@@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t)
domain_use_interactive_fds(audisp_t)
+files_map_etc_files(audisp_t)
files_read_etc_files(audisp_t)
files_read_etc_runtime_files(audisp_t)
@@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
# manage temporary files
manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
+allow syslogd_t syslogd_tmp_t:file map;
+
files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
@@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t)
# manage pid file
manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
+allow syslogd_t syslogd_var_run_t:file map;
+
files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
Index: refpolicy-2.20180211/policy/modules/system/lvm.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/system/lvm.te
+++ refpolicy-2.20180211/policy/modules/system/lvm.te
@@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
+allow lvm_t lvm_etc_t:file map;
+
read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
# Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
Index: refpolicy-2.20180211/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20180211/policy/modules/system/systemd.if
@@ -368,6 +368,7 @@ interface(`systemd_manage_journal_files'
manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
+ allow $1 systemd_journal_t:file map;
')
Index: refpolicy-2.20180211/policy/modules/kernel/files.if
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/kernel/files.if
+++ refpolicy-2.20180211/policy/modules/kernel/files.if
@@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',`
########################################
## <summary>
+## Map generic files in /etc.
+## </summary>
+## <desc>
+## <p>
+## Allow the specified domain to map generic files in /etc.
+## </p>
+## <p>
+## Related interfaces:
+## </p>
+## <ul>
+## <li>files_read_etc_files()</li>
+## </ul>
+## </desc>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+## <infoflow type="read" weight="10"/>
+#
+interface(`files_map_etc_files',`
+ gen_require(`
+ type etc_t;
+ ')
+
+ allow $1 etc_t:file map;
+')
+
+########################################
+## <summary>
## Do not audit attempts to write generic files in /etc.
## </summary>
## <param name="domain">
Index: refpolicy-2.20180211/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20180211/policy/modules/contrib/dpkg.if
@@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files'
allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
allow $1 dpkg_script_tmp_t:file manage_file_perms;
')
+
+########################################
+## <summary>
+## map dpkg_script_tmp_t files
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_map_script_tmp_files',`
+ gen_require(`
+ type dpkg_script_tmp_t;
+ ')
+
+ allow $1 dpkg_script_tmp_t:file map;
+')
Index: refpolicy-2.20180211/policy/modules/system/modutils.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/system/modutils.te
+++ refpolicy-2.20180211/policy/modules/system/modutils.te
@@ -132,7 +132,9 @@ optional_policy(`
')
optional_policy(`
+ # for postinst of a new kernel package
dpkg_manage_script_tmp_files(kmod_t)
+ dpkg_map_script_tmp_files(kmod_t)
')
optional_policy(`
Index: refpolicy-2.20180211/policy/modules/contrib/dictd.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/contrib/dictd.te
+++ refpolicy-2.20180211/policy/modules/contrib/dictd.te
@@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t)
domain_use_interactive_fds(dictd_t)
+files_map_usr_files(dictd_t)
files_read_etc_runtime_files(dictd_t)
files_read_usr_files(dictd_t)
files_search_var_lib(dictd_t)
Index: refpolicy-2.20180211/policy/modules/contrib/tor.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/contrib/tor.te
+++ refpolicy-2.20180211/policy/modules/contrib/tor.te
@@ -55,6 +55,7 @@ allow tor_t tor_etc_t:lnk_file read_lnk_
manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
+allow tor_t tor_var_lib_t:file map;
manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
Index: refpolicy-2.20180211/policy/modules/contrib/logrotate.te
===================================================================
--- refpolicy-2.20180211.orig/policy/modules/contrib/logrotate.te
+++ refpolicy-2.20180211/policy/modules/contrib/logrotate.te
@@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t)
domain_getattr_all_entry_files(logrotate_t)
domain_read_all_domains_state(logrotate_t)
+files_map_etc_files(logrotate_t)
files_read_usr_files(logrotate_t)
files_read_etc_runtime_files(logrotate_t)
files_read_all_pids(logrotate_t)
On 02/12/2018 07:46 PM, Russell Coker via refpolicy wrote:
> A few simple patches to allow map permission.
>
> Index: refpolicy-2.20180211/policy/modules/system/logging.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/system/logging.te
> +++ refpolicy-2.20180211/policy/modules/system/logging.te
> @@ -257,6 +257,7 @@ corecmd_exec_shell(audisp_t)
>
> domain_use_interactive_fds(audisp_t)
>
> +files_map_etc_files(audisp_t)
> files_read_etc_files(audisp_t)
> files_read_etc_runtime_files(audisp_t)
>
> @@ -418,6 +419,8 @@ files_pid_filetrans(syslogd_t, syslogd_t
> # manage temporary files
> manage_dirs_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> manage_files_pattern(syslogd_t, syslogd_tmp_t, syslogd_tmp_t)
> +allow syslogd_t syslogd_tmp_t:file map;
> +
> files_tmp_filetrans(syslogd_t, syslogd_tmp_t, { dir file })
>
> manage_files_pattern(syslogd_t, syslogd_var_lib_t, syslogd_var_lib_t)
> @@ -426,6 +429,8 @@ files_search_var_lib(syslogd_t)
>
> # manage pid file
> manage_files_pattern(syslogd_t, syslogd_var_run_t, syslogd_var_run_t)
> +allow syslogd_t syslogd_var_run_t:file map;
> +
> files_pid_filetrans(syslogd_t, syslogd_var_run_t, file)
> allow syslogd_t syslogd_var_run_t:dir create_dir_perms;
>
> Index: refpolicy-2.20180211/policy/modules/system/lvm.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/system/lvm.te
> +++ refpolicy-2.20180211/policy/modules/system/lvm.te
> @@ -211,6 +211,8 @@ manage_sock_files_pattern(lvm_t, lvm_var
> files_pid_filetrans(lvm_t, lvm_var_run_t, { file sock_file })
>
> read_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> +allow lvm_t lvm_etc_t:file map;
> +
> read_lnk_files_pattern(lvm_t, lvm_etc_t, lvm_etc_t)
> # Write to /etc/lvm, /etc/lvmtab, /etc/lvmtab.d
> manage_files_pattern(lvm_t, lvm_metadata_t, lvm_metadata_t)
> Index: refpolicy-2.20180211/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20180211/policy/modules/system/systemd.if
> @@ -368,6 +368,7 @@ interface(`systemd_manage_journal_files'
>
> manage_dirs_pattern($1, systemd_journal_t, systemd_journal_t)
> manage_files_pattern($1, systemd_journal_t, systemd_journal_t)
> + allow $1 systemd_journal_t:file map;
> ')
>
>
> Index: refpolicy-2.20180211/policy/modules/kernel/files.if
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/kernel/files.if
> +++ refpolicy-2.20180211/policy/modules/kernel/files.if
> @@ -2944,6 +2944,36 @@ interface(`files_read_etc_files',`
>
> ########################################
> ## <summary>
> +## Map generic files in /etc.
> +## </summary>
> +## <desc>
> +## <p>
> +## Allow the specified domain to map generic files in /etc.
> +## </p>
> +## <p>
> +## Related interfaces:
> +## </p>
> +## <ul>
> +## <li>files_read_etc_files()</li>
> +## </ul>
> +## </desc>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +## <infoflow type="read" weight="10"/>
> +#
> +interface(`files_map_etc_files',`
> + gen_require(`
> + type etc_t;
> + ')
> +
> + allow $1 etc_t:file map;
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to write generic files in /etc.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20180211/policy/modules/contrib/dpkg.if
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/contrib/dpkg.if
> +++ refpolicy-2.20180211/policy/modules/contrib/dpkg.if
> @@ -301,3 +301,21 @@ interface(`dpkg_manage_script_tmp_files'
> allow $1 dpkg_script_tmp_t:dir manage_dir_perms;
> allow $1 dpkg_script_tmp_t:file manage_file_perms;
> ')
> +
> +########################################
> +## <summary>
> +## map dpkg_script_tmp_t files
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dpkg_map_script_tmp_files',`
> + gen_require(`
> + type dpkg_script_tmp_t;
> + ')
> +
> + allow $1 dpkg_script_tmp_t:file map;
> +')
> Index: refpolicy-2.20180211/policy/modules/system/modutils.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/system/modutils.te
> +++ refpolicy-2.20180211/policy/modules/system/modutils.te
> @@ -132,7 +132,9 @@ optional_policy(`
> ')
>
> optional_policy(`
> + # for postinst of a new kernel package
> dpkg_manage_script_tmp_files(kmod_t)
> + dpkg_map_script_tmp_files(kmod_t)
> ')
>
> optional_policy(`
> Index: refpolicy-2.20180211/policy/modules/contrib/dictd.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/contrib/dictd.te
> +++ refpolicy-2.20180211/policy/modules/contrib/dictd.te
> @@ -57,6 +57,7 @@ dev_read_sysfs(dictd_t)
>
> domain_use_interactive_fds(dictd_t)
>
> +files_map_usr_files(dictd_t)
> files_read_etc_runtime_files(dictd_t)
> files_read_usr_files(dictd_t)
> files_search_var_lib(dictd_t)
> Index: refpolicy-2.20180211/policy/modules/contrib/tor.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/contrib/tor.te
> +++ refpolicy-2.20180211/policy/modules/contrib/tor.te
> @@ -55,6 +55,7 @@ allow tor_t tor_etc_t:lnk_file read_lnk_
>
> manage_dirs_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
> manage_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
> +allow tor_t tor_var_lib_t:file map;
> manage_sock_files_pattern(tor_t, tor_var_lib_t, tor_var_lib_t)
> files_var_lib_filetrans(tor_t, tor_var_lib_t, dir)
>
> Index: refpolicy-2.20180211/policy/modules/contrib/logrotate.te
> ===================================================================
> --- refpolicy-2.20180211.orig/policy/modules/contrib/logrotate.te
> +++ refpolicy-2.20180211/policy/modules/contrib/logrotate.te
> @@ -77,6 +77,7 @@ domain_use_interactive_fds(logrotate_t)
> domain_getattr_all_entry_files(logrotate_t)
> domain_read_all_domains_state(logrotate_t)
>
> +files_map_etc_files(logrotate_t)
> files_read_usr_files(logrotate_t)
> files_read_etc_runtime_files(logrotate_t)
> files_read_all_pids(logrotate_t)
Merged.
--
Chris PeBenito