2017-04-19 10:47:51

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] fist "strict" patch

This is the first patch for policy I developed running in a "strict"
configuration. That means with the unconfined module removed from the
policy. It is possible that some patches from this are needed even in a
"targeted" configuration. But most are only related to strict configuration.

There are no dependencies with other patches I've sent recently.

Index: refpolicy-2.20170419/policy/modules/system/fstools.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te
+++ refpolicy-2.20170419/policy/modules/system/fstools.te
@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
mls_file_read_all_levels(fsadm_t)
mls_file_write_all_levels(fsadm_t)

+selinux_getattr_fs(fsadm_t)
+
storage_raw_read_fixed_disk(fsadm_t)
storage_raw_write_fixed_disk(fsadm_t)
storage_raw_read_removable_device(fsadm_t)
Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te
+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te
@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)

userdom_use_user_terminals(load_policy_t)
userdom_use_all_users_fds(load_policy_t)
+dev_read_urand(load_policy_t)

ifdef(`distro_ubuntu',`
optional_policy(`
@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
fs_getattr_tracefs(restorecond_t)
fs_list_inotifyfs(restorecond_t)
fs_relabelfrom_noxattr_fs(restorecond_t)
+fs_getattr_pstorefs(restorecond_t)

selinux_validate_context(restorecond_t)
selinux_compute_access_vector(restorecond_t)
@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
kernel_read_kernel_sysctls(semanage_t)

corecmd_exec_bin(semanage_t)
+corecmd_exec_shell(semanage_t)

dev_read_urand(semanage_t)

@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
files_dontaudit_read_all_symlinks(setfiles_t)

fs_getattr_all_xattr_fs(setfiles_t)
+fs_getattr_nfs(setfiles_t)
fs_getattr_pstore_dirs(setfiles_t)
fs_getattr_pstorefs(setfiles_t)
fs_getattr_tracefs(setfiles_t)
Index: refpolicy-2.20170419/policy/modules/system/systemd.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te
+++ refpolicy-2.20170419/policy/modules/system/systemd.te
@@ -854,6 +854,11 @@ optional_policy(`
')

optional_policy(`
+ apt_use_fds(systemd_tmpfiles_t)
+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
+')
+
+optional_policy(`
xfs_create_tmp_dirs(systemd_tmpfiles_t)
')

Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if
+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if
@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`

########################################
## <summary>
+## Inherit and use file descriptors
+## from dpkg scripts.
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dpkg_script_rw_inherited_fifos',`
+ gen_require(`
+ type dpkg_script_t;
+ ')
+
+ allow $1 dpkg_script_t:fd use;
+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
+')
+
+########################################
+## <summary>
## Read dpkg package database content.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te
@@ -33,6 +33,7 @@ type dpkg_script_t;
domain_type(dpkg_script_t)
domain_entry_file(dpkg_t, dpkg_var_lib_t)
domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
corecmd_shell_entry_type(dpkg_script_t)
corecmd_bin_entry_type(dpkg_script_t)
domain_obj_id_change_exemption(dpkg_script_t)
@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
allow dpkg_t dpkg_lock_t:file manage_file_perms;

spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)

manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
Index: refpolicy-2.20170419/policy/modules/contrib/mta.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te
+++ refpolicy-2.20170419/policy/modules/contrib/mta.te
@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
userdom_use_user_terminals(system_mail_t)

optional_policy(`
+ apt_use_fds(system_mail_t)
+ apt_use_ptys(system_mail_t)
+')
+
+optional_policy(`
apache_read_squirrelmail_data(system_mail_t)
apache_append_squirrelmail_data(system_mail_t)
apache_dontaudit_append_log(system_mail_t)
Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te
+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te
@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
init_exec(sysadm_t)
init_admin(sysadm_t)

+selinux_read_policy(sysadm_t)
+
# Add/remove user home directories
userdom_manage_user_home_dirs(sysadm_t)
userdom_home_filetrans_user_home_dir(sysadm_t)
@@ -99,6 +101,10 @@ optional_policy(`
')

optional_policy(`
+ system_mail_role(sysadm_r)
+')
+
+optional_policy(`
amanda_run_recover(sysadm_t, sysadm_r)
')

Index: refpolicy-2.20170419/policy/modules/services/xserver.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te
+++ refpolicy-2.20170419/policy/modules/services/xserver.te
@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })

allow xdm_t xauth_home_t:file manage_file_perms;
-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file, ".Xauthority")
+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors")

allow xauth_t xdm_t:process sigchld;
allow xauth_t xdm_t:fd use;
Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te
+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te
@@ -189,7 +189,7 @@ optional_policy(`
# Groupadd local policy
#

-allow groupadd_t self:capability { audit_write chown dac_override kill setuid sys_resource };
+allow groupadd_t self:capability { audit_write chown dac_override fsetid kill setuid sys_resource };
dontaudit groupadd_t self:capability { fsetid sys_tty_config };
allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack };
allow groupadd_t self:process { setrlimit setfscreate };
Index: refpolicy-2.20170419/policy/modules/contrib/apt.te
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te
+++ refpolicy-2.20170419/policy/modules/contrib/apt.te
@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
# Local policy
#

-allow apt_t self:capability { chown dac_override fowner fsetid };
+allow apt_t self:capability { chown dac_override fowner fsetid kill setgid setuid };
allow apt_t self:process { signal setpgid fork };
allow apt_t self:fd use;
allow apt_t self:fifo_file rw_fifo_file_perms;
@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file })

manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
files_var_filetrans(apt_t, apt_var_cache_t, dir)

manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l

allow apt_t apt_var_log_t:file manage_file_perms;
logging_log_filetrans(apt_t, apt_var_log_t, file)
+allow apt_t apt_var_log_t:dir manage_dir_perms;

can_exec(apt_t, apt_exec_t)

Index: refpolicy-2.20170419/policy/modules/contrib/mta.if
===================================================================
--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if
+++ refpolicy-2.20170419/policy/modules/contrib/mta.if
@@ -121,6 +121,23 @@ interface(`mta_role',`

########################################
## <summary>
+## Enable system_mail_t to run in the specified role
+## </summary>
+## <param name="role">
+## <summary>
+## Role allowed access.
+## </summary>
+## </param>
+#
+interface(`system_mail_role',`
+ gen_require(`
+ type system_mail_t;
+ ')
+ role $1 types system_mail_t;
+')
+
+########################################
+## <summary>
## Make the specified domain usable for a mail server.
## </summary>
## <param name="type">


2017-04-19 11:28:32

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] fist "strict" patch

Hi.

The file .xsession-errors is of type xsession_log_t and not user home content. So you should probably fix the file transition for xdm_t.

Regards,

Guido

On the 19th of April 2017 12:47:51 CEST, Russell Coker via refpolicy <[email protected]> wrote:
>This is the first patch for policy I developed running in a "strict"
>configuration. That means with the unconfined module removed from the
>policy. It is possible that some patches from this are needed even in
>a
>"targeted" configuration. But most are only related to strict
>configuration.
>
>There are no dependencies with other patches I've sent recently.
>
>Index: refpolicy-2.20170419/policy/modules/system/fstools.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te
>+++ refpolicy-2.20170419/policy/modules/system/fstools.te
>@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
> mls_file_read_all_levels(fsadm_t)
> mls_file_write_all_levels(fsadm_t)
>
>+selinux_getattr_fs(fsadm_t)
>+
> storage_raw_read_fixed_disk(fsadm_t)
> storage_raw_write_fixed_disk(fsadm_t)
> storage_raw_read_removable_device(fsadm_t)
>Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te
>+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te
>@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)
>
> userdom_use_user_terminals(load_policy_t)
> userdom_use_all_users_fds(load_policy_t)
>+dev_read_urand(load_policy_t)
>
> ifdef(`distro_ubuntu',`
> optional_policy(`
>@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
> fs_getattr_tracefs(restorecond_t)
> fs_list_inotifyfs(restorecond_t)
> fs_relabelfrom_noxattr_fs(restorecond_t)
>+fs_getattr_pstorefs(restorecond_t)
>
> selinux_validate_context(restorecond_t)
> selinux_compute_access_vector(restorecond_t)
>@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
> kernel_read_kernel_sysctls(semanage_t)
>
> corecmd_exec_bin(semanage_t)
>+corecmd_exec_shell(semanage_t)
>
> dev_read_urand(semanage_t)
>
>@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
> files_dontaudit_read_all_symlinks(setfiles_t)
>
> fs_getattr_all_xattr_fs(setfiles_t)
>+fs_getattr_nfs(setfiles_t)
> fs_getattr_pstore_dirs(setfiles_t)
> fs_getattr_pstorefs(setfiles_t)
> fs_getattr_tracefs(setfiles_t)
>Index: refpolicy-2.20170419/policy/modules/system/systemd.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te
>+++ refpolicy-2.20170419/policy/modules/system/systemd.te
>@@ -854,6 +854,11 @@ optional_policy(`
> ')
>
> optional_policy(`
>+ apt_use_fds(systemd_tmpfiles_t)
>+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
>+')
>+
>+optional_policy(`
> xfs_create_tmp_dirs(systemd_tmpfiles_t)
> ')
>
>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if
>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if
>@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
>
> ########################################
> ## <summary>
>+## Inherit and use file descriptors
>+## from dpkg scripts.
>+## </summary>
>+## <param name="domain">
>+## <summary>
>+## Domain allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`dpkg_script_rw_inherited_fifos',`
>+ gen_require(`
>+ type dpkg_script_t;
>+ ')
>+
>+ allow $1 dpkg_script_t:fd use;
>+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
>+')
>+
>+########################################
>+## <summary>
> ## Read dpkg package database content.
> ## </summary>
> ## <param name="domain">
>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te
>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te
>@@ -33,6 +33,7 @@ type dpkg_script_t;
> domain_type(dpkg_script_t)
> domain_entry_file(dpkg_t, dpkg_var_lib_t)
> domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
>+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
> corecmd_shell_entry_type(dpkg_script_t)
> corecmd_bin_entry_type(dpkg_script_t)
> domain_obj_id_change_exemption(dpkg_script_t)
>@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>
> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
>
> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
> manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
>Index: refpolicy-2.20170419/policy/modules/contrib/mta.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te
>+++ refpolicy-2.20170419/policy/modules/contrib/mta.te
>@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
> userdom_use_user_terminals(system_mail_t)
>
> optional_policy(`
>+ apt_use_fds(system_mail_t)
>+ apt_use_ptys(system_mail_t)
>+')
>+
>+optional_policy(`
> apache_read_squirrelmail_data(system_mail_t)
> apache_append_squirrelmail_data(system_mail_t)
> apache_dontaudit_append_log(system_mail_t)
>Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te
>+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te
>@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
> init_exec(sysadm_t)
> init_admin(sysadm_t)
>
>+selinux_read_policy(sysadm_t)
>+
> # Add/remove user home directories
> userdom_manage_user_home_dirs(sysadm_t)
> userdom_home_filetrans_user_home_dir(sysadm_t)
>@@ -99,6 +101,10 @@ optional_policy(`
> ')
>
> optional_policy(`
>+ system_mail_role(sysadm_r)
>+')
>+
>+optional_policy(`
> amanda_run_recover(sysadm_t, sysadm_r)
> ')
>
>Index: refpolicy-2.20170419/policy/modules/services/xserver.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te
>+++ refpolicy-2.20170419/policy/modules/services/xserver.te
>@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
> files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>
> allow xdm_t xauth_home_t:file manage_file_perms;
>-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
>+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file,
>".Xauthority")
>+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file,
>".xsession-errors")
>
> allow xauth_t xdm_t:process sigchld;
> allow xauth_t xdm_t:fd use;
>Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te
>+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te
>@@ -189,7 +189,7 @@ optional_policy(`
> # Groupadd local policy
> #
>
>-allow groupadd_t self:capability { audit_write chown dac_override kill
>setuid sys_resource };
>+allow groupadd_t self:capability { audit_write chown dac_override
>fsetid kill setuid sys_resource };
> dontaudit groupadd_t self:capability { fsetid sys_tty_config };
>allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate
>setrlimit execmem execheap execstack };
> allow groupadd_t self:process { setrlimit setfscreate };
>Index: refpolicy-2.20170419/policy/modules/contrib/apt.te
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te
>+++ refpolicy-2.20170419/policy/modules/contrib/apt.te
>@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
> # Local policy
> #
>
>-allow apt_t self:capability { chown dac_override fowner fsetid };
>+allow apt_t self:capability { chown dac_override fowner fsetid kill
>setgid setuid };
> allow apt_t self:process { signal setpgid fork };
> allow apt_t self:fd use;
> allow apt_t self:fifo_file rw_fifo_file_perms;
>@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
>fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file
>fifo_file })
>
> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
> files_var_filetrans(apt_t, apt_var_cache_t, dir)
>
> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
>
> allow apt_t apt_var_log_t:file manage_file_perms;
> logging_log_filetrans(apt_t, apt_var_log_t, file)
>+allow apt_t apt_var_log_t:dir manage_dir_perms;
>
> can_exec(apt_t, apt_exec_t)
>
>Index: refpolicy-2.20170419/policy/modules/contrib/mta.if
>===================================================================
>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if
>+++ refpolicy-2.20170419/policy/modules/contrib/mta.if
>@@ -121,6 +121,23 @@ interface(`mta_role',`
>
> ########################################
> ## <summary>
>+## Enable system_mail_t to run in the specified role
>+## </summary>
>+## <param name="role">
>+## <summary>
>+## Role allowed access.
>+## </summary>
>+## </param>
>+#
>+interface(`system_mail_role',`
>+ gen_require(`
>+ type system_mail_t;
>+ ')
>+ role $1 types system_mail_t;
>+')
>+
>+########################################
>+## <summary>
> ## Make the specified domain usable for a mail server.
> ## </summary>
> ## <param name="type">
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy

2017-04-19 11:40:05

by guido

[permalink] [raw]
Subject: [refpolicy] [PATCH] fist "strict" patch

Hello again.

I am back on the previous issue...

There is an interface xserver_user_home_dir_filetrans_user_xsession_log() that is used to set the file context for the .xsession-errors log file and such interface is called from xserver_restricted_role() which is called from xserver_role().

Are you not using the xserver_role()?

Regards,

Guido

Il 19 aprile 2017 13:28:32 CEST, Guido Trentalancia via refpolicy <[email protected]> ha scritto:
>Hi.
>
>The file .xsession-errors is of type xsession_log_t and not user home
>content. So you should probably fix the file transition for xdm_t.
>
>Regards,
>
>Guido
>
>On the 19th of April 2017 12:47:51 CEST, Russell Coker via refpolicy
><[email protected]> wrote:
>>This is the first patch for policy I developed running in a "strict"
>>configuration. That means with the unconfined module removed from the
>>policy. It is possible that some patches from this are needed even in
>>a
>>"targeted" configuration. But most are only related to strict
>>configuration.
>>
>>There are no dependencies with other patches I've sent recently.
>>
>>Index: refpolicy-2.20170419/policy/modules/system/fstools.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/system/fstools.te
>>+++ refpolicy-2.20170419/policy/modules/system/fstools.te
>>@@ -134,6 +134,8 @@ files_search_all(fsadm_t)
>> mls_file_read_all_levels(fsadm_t)
>> mls_file_write_all_levels(fsadm_t)
>>
>>+selinux_getattr_fs(fsadm_t)
>>+
>> storage_raw_read_fixed_disk(fsadm_t)
>> storage_raw_write_fixed_disk(fsadm_t)
>> storage_raw_read_removable_device(fsadm_t)
>>Index: refpolicy-2.20170419/policy/modules/system/selinuxutil.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/system/selinuxutil.te
>>+++ refpolicy-2.20170419/policy/modules/system/selinuxutil.te
>>@@ -196,6 +196,7 @@ seutil_libselinux_linked(load_policy_t)
>>
>> userdom_use_user_terminals(load_policy_t)
>> userdom_use_all_users_fds(load_policy_t)
>>+dev_read_urand(load_policy_t)
>>
>> ifdef(`distro_ubuntu',`
>> optional_policy(`
>>@@ -358,6 +359,7 @@ fs_getattr_pstore_dirs(restorecond_t)
>> fs_getattr_tracefs(restorecond_t)
>> fs_list_inotifyfs(restorecond_t)
>> fs_relabelfrom_noxattr_fs(restorecond_t)
>>+fs_getattr_pstorefs(restorecond_t)
>>
>> selinux_validate_context(restorecond_t)
>> selinux_compute_access_vector(restorecond_t)
>>@@ -488,6 +490,7 @@ kernel_read_system_state(semanage_t)
>> kernel_read_kernel_sysctls(semanage_t)
>>
>> corecmd_exec_bin(semanage_t)
>>+corecmd_exec_shell(semanage_t)
>>
>> dev_read_urand(semanage_t)
>>
>>@@ -590,6 +593,7 @@ files_read_usr_symlinks(setfiles_t)
>> files_dontaudit_read_all_symlinks(setfiles_t)
>>
>> fs_getattr_all_xattr_fs(setfiles_t)
>>+fs_getattr_nfs(setfiles_t)
>> fs_getattr_pstore_dirs(setfiles_t)
>> fs_getattr_pstorefs(setfiles_t)
>> fs_getattr_tracefs(setfiles_t)
>>Index: refpolicy-2.20170419/policy/modules/system/systemd.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/system/systemd.te
>>+++ refpolicy-2.20170419/policy/modules/system/systemd.te
>>@@ -854,6 +854,11 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>>+ apt_use_fds(systemd_tmpfiles_t)
>>+ dpkg_script_rw_inherited_fifos(systemd_tmpfiles_t)
>>+')
>>+
>>+optional_policy(`
>> xfs_create_tmp_dirs(systemd_tmpfiles_t)
>> ')
>>
>>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.if
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.if
>>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.if
>>@@ -179,6 +179,26 @@ interface(`dpkg_use_script_fds',`
>>
>> ########################################
>> ## <summary>
>>+## Inherit and use file descriptors
>>+## from dpkg scripts.
>>+## </summary>
>>+## <param name="domain">
>>+## <summary>
>>+## Domain allowed access.
>>+## </summary>
>>+## </param>
>>+#
>>+interface(`dpkg_script_rw_inherited_fifos',`
>>+ gen_require(`
>>+ type dpkg_script_t;
>>+ ')
>>+
>>+ allow $1 dpkg_script_t:fd use;
>>+ allow $1 dpkg_script_t:fifo_file rw_inherited_file_perms;
>>+')
>>+
>>+########################################
>>+## <summary>
>> ## Read dpkg package database content.
>> ## </summary>
>> ## <param name="domain">
>>Index: refpolicy-2.20170419/policy/modules/contrib/dpkg.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/contrib/dpkg.te
>>+++ refpolicy-2.20170419/policy/modules/contrib/dpkg.te
>>@@ -33,6 +33,7 @@ type dpkg_script_t;
>> domain_type(dpkg_script_t)
>> domain_entry_file(dpkg_t, dpkg_var_lib_t)
>> domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
>>+domain_entry_file(dpkg_script_t, dpkg_script_tmp_t)
>> corecmd_shell_entry_type(dpkg_script_t)
>> corecmd_bin_entry_type(dpkg_script_t)
>> domain_obj_id_change_exemption(dpkg_script_t)
>>@@ -69,6 +70,7 @@ allow dpkg_t self:msg { send receive };
>> allow dpkg_t dpkg_lock_t:file manage_file_perms;
>>
>> spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
>>+spec_domtrans_pattern(dpkg_t, dpkg_script_tmp_t, dpkg_script_t)
>>
>> manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
>> manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t)
>>Index: refpolicy-2.20170419/policy/modules/contrib/mta.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.te
>>+++ refpolicy-2.20170419/policy/modules/contrib/mta.te
>>@@ -205,6 +205,11 @@ init_rw_stream_sockets(system_mail_t)
>> userdom_use_user_terminals(system_mail_t)
>>
>> optional_policy(`
>>+ apt_use_fds(system_mail_t)
>>+ apt_use_ptys(system_mail_t)
>>+')
>>+
>>+optional_policy(`
>> apache_read_squirrelmail_data(system_mail_t)
>> apache_append_squirrelmail_data(system_mail_t)
>> apache_dontaudit_append_log(system_mail_t)
>>Index: refpolicy-2.20170419/policy/modules/roles/sysadm.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/roles/sysadm.te
>>+++ refpolicy-2.20170419/policy/modules/roles/sysadm.te
>>@@ -40,6 +40,8 @@ ubac_fd_exempt(sysadm_t)
>> init_exec(sysadm_t)
>> init_admin(sysadm_t)
>>
>>+selinux_read_policy(sysadm_t)
>>+
>> # Add/remove user home directories
>> userdom_manage_user_home_dirs(sysadm_t)
>> userdom_home_filetrans_user_home_dir(sysadm_t)
>>@@ -99,6 +101,10 @@ optional_policy(`
>> ')
>>
>> optional_policy(`
>>+ system_mail_role(sysadm_r)
>>+')
>>+
>>+optional_policy(`
>> amanda_run_recover(sysadm_t, sysadm_r)
>> ')
>>
>>Index: refpolicy-2.20170419/policy/modules/services/xserver.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/services/xserver.te
>>+++ refpolicy-2.20170419/policy/modules/services/xserver.te
>>@@ -273,7 +273,8 @@ manage_files_pattern(xauth_t, xauth_tmp_
>> files_tmp_filetrans(xauth_t, xauth_tmp_t, { file dir })
>>
>> allow xdm_t xauth_home_t:file manage_file_perms;
>>-userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file)
>>+userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file,
>>".Xauthority")
>>+userdom_user_home_dir_filetrans(xdm_t, user_home_t, file,
>>".xsession-errors")
>>
>> allow xauth_t xdm_t:process sigchld;
>> allow xauth_t xdm_t:fd use;
>>Index: refpolicy-2.20170419/policy/modules/admin/usermanage.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/admin/usermanage.te
>>+++ refpolicy-2.20170419/policy/modules/admin/usermanage.te
>>@@ -189,7 +189,7 @@ optional_policy(`
>> # Groupadd local policy
>> #
>>
>>-allow groupadd_t self:capability { audit_write chown dac_override
>kill
>>setuid sys_resource };
>>+allow groupadd_t self:capability { audit_write chown dac_override
>>fsetid kill setuid sys_resource };
>> dontaudit groupadd_t self:capability { fsetid sys_tty_config };
>>allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate
>>setrlimit execmem execheap execstack };
>> allow groupadd_t self:process { setrlimit setfscreate };
>>Index: refpolicy-2.20170419/policy/modules/contrib/apt.te
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/contrib/apt.te
>>+++ refpolicy-2.20170419/policy/modules/contrib/apt.te
>>@@ -39,7 +39,7 @@ logging_log_file(apt_var_log_t)
>> # Local policy
>> #
>>
>>-allow apt_t self:capability { chown dac_override fowner fsetid };
>>+allow apt_t self:capability { chown dac_override fowner fsetid kill
>>setgid setuid };
>> allow apt_t self:process { signal setpgid fork };
>> allow apt_t self:fd use;
>> allow apt_t self:fifo_file rw_fifo_file_perms;
>>@@ -69,6 +69,7 @@ manage_sock_files_pattern(apt_t, apt_tmp
>>fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file
>>fifo_file })
>>
>> manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>>+manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t)
>> files_var_filetrans(apt_t, apt_var_cache_t, dir)
>>
>> manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t)
>>@@ -76,6 +77,7 @@ files_var_lib_filetrans(apt_t, apt_var_l
>>
>> allow apt_t apt_var_log_t:file manage_file_perms;
>> logging_log_filetrans(apt_t, apt_var_log_t, file)
>>+allow apt_t apt_var_log_t:dir manage_dir_perms;
>>
>> can_exec(apt_t, apt_exec_t)
>>
>>Index: refpolicy-2.20170419/policy/modules/contrib/mta.if
>>===================================================================
>>--- refpolicy-2.20170419.orig/policy/modules/contrib/mta.if
>>+++ refpolicy-2.20170419/policy/modules/contrib/mta.if
>>@@ -121,6 +121,23 @@ interface(`mta_role',`
>>
>> ########################################
>> ## <summary>
>>+## Enable system_mail_t to run in the specified role
>>+## </summary>
>>+## <param name="role">
>>+## <summary>
>>+## Role allowed access.
>>+## </summary>
>>+## </param>
>>+#
>>+interface(`system_mail_role',`
>>+ gen_require(`
>>+ type system_mail_t;
>>+ ')
>>+ role $1 types system_mail_t;
>>+')
>>+
>>+########################################
>>+## <summary>
>> ## Make the specified domain usable for a mail server.
>> ## </summary>
>> ## <param name="type">
>>_______________________________________________
>>refpolicy mailing list
>>refpolicy at oss.tresys.com
>>http://oss.tresys.com/mailman/listinfo/refpolicy
>
>_______________________________________________
>refpolicy mailing list
>refpolicy at oss.tresys.com
>http://oss.tresys.com/mailman/listinfo/refpolicy