2017-02-16 03:18:58

by Russell Coker

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches version 2

Here is the latest version.

Index: refpolicy-2.20170216/policy/modules/contrib/dpkg.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/contrib/dpkg.te
+++ refpolicy-2.20170216/policy/modules/contrib/dpkg.te
@@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
domain_interactive_fd(dpkg_script_t)
role dpkg_roles types dpkg_script_t;

+spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
+domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
+
type dpkg_script_tmp_t;
files_tmp_file(dpkg_script_tmp_t)

@@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
kernel_read_system_state(dpkg_t)
kernel_read_kernel_sysctls(dpkg_t)

-corecmd_exec_all_executables(dpkg_t)
-
corenet_all_recvfrom_unlabeled(dpkg_t)
corenet_all_recvfrom_netlabel(dpkg_t)
corenet_tcp_sendrecv_generic_if(dpkg_t)
@@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)

userdom_use_user_terminals(dpkg_t)
userdom_use_unpriv_users_fds(dpkg_t)
+userdom_use_all_users_fds(dpkg_t)

dpkg_domtrans_script(dpkg_t)

@@ -176,18 +178,10 @@ optional_policy(`
unconfined_domain(dpkg_t)
')

-# TODO: the following was copied from dpkg_script_t, and could probably
-# be removed again when dpkg_script_t is actually used...
-domain_signal_all_domains(dpkg_t)
-domain_signull_all_domains(dpkg_t)
-files_read_etc_runtime_files(dpkg_t)
-files_exec_usr_files(dpkg_t)
-miscfiles_read_localization(dpkg_t)
-modutils_run_depmod(dpkg_t, dpkg_roles)
-modutils_run_insmod(dpkg_t, dpkg_roles)
-seutil_run_loadpolicy(dpkg_t, dpkg_roles)
-seutil_run_setfiles(dpkg_t, dpkg_roles)
-userdom_use_all_users_fds(dpkg_t)
+optional_policy(`
+ modutils_run_depmod(dpkg_t, dpkg_roles)
+ modutils_run_insmod(dpkg_t, dpkg_roles)
+')

optional_policy(`
mta_send_mail(dpkg_t)
@@ -202,8 +196,8 @@ optional_policy(`
# Script Local policy
#

-allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
-allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
+allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
+allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
allow dpkg_script_t self:fd use;
allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
@@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
allow dpkg_script_t self:sem create_sem_perms;
allow dpkg_script_t self:msgq create_msgq_perms;
allow dpkg_script_t self:msg { send receive };
+allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
+allow dpkg_script_t self:udp_socket create_socket_perms;

allow dpkg_script_t dpkg_tmp_t:file read_file_perms;

@@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
kernel_read_kernel_sysctls(dpkg_script_t)
kernel_read_system_state(dpkg_script_t)

+auth_manage_shadow(dpkg_script_t)
corecmd_exec_all_executables(dpkg_script_t)

+dev_manage_null_service(dpkg_script_t)
dev_list_sysfs(dpkg_script_t)
# Use named file transition to fix this
# dev_manage_generic_blk_files(dpkg_script_t)
@@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
selinux_compute_create_context(dpkg_script_t)
selinux_compute_relabel_context(dpkg_script_t)
selinux_compute_user_contexts(dpkg_script_t)
+selinux_read_policy(dpkg_script_t)

storage_raw_read_fixed_disk(dpkg_script_t)
storage_raw_write_fixed_disk(dpkg_script_t)

term_use_all_terms(dpkg_script_t)

-auth_dontaudit_getattr_shadow(dpkg_script_t)
files_manage_non_auth_files(dpkg_script_t)

init_all_labeled_script_domtrans(dpkg_script_t)
+init_get_generic_units_status(dpkg_script_t)
init_use_script_fds(dpkg_script_t)
+init_status(dpkg_script_t)
+init_start_generic_units(dpkg_script_t)
+init_stop_generic_units(dpkg_script_t)
+init_reload(dpkg_script_t)
+init_system_stop(dpkg_script_t)
+init_telinit(dpkg_script_t)
+initrc_manage_service(dpkg_script_t)
+init_restart_script_service(dpkg_script_t)

libs_exec_ld_so(dpkg_script_t)
libs_exec_lib_files(dpkg_script_t)
@@ -287,13 +294,11 @@ logging_send_syslog_msg(dpkg_script_t)

miscfiles_read_localization(dpkg_script_t)

-modutils_run_depmod(dpkg_script_t, dpkg_roles)
-modutils_run_insmod(dpkg_script_t, dpkg_roles)
-
seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
seutil_run_setfiles(dpkg_script_t, dpkg_roles)

userdom_use_all_users_fds(dpkg_script_t)
+usermanage_run_passwd(dpkg_script_t, sysadm_r)

tunable_policy(`allow_execmem',`
allow dpkg_script_t self:process execmem;
@@ -309,6 +314,11 @@ optional_policy(`
')

optional_policy(`
+ modutils_run_depmod(dpkg_script_t, dpkg_roles)
+ modutils_run_insmod(dpkg_script_t, dpkg_roles)
+')
+
+optional_policy(`
mta_send_mail(dpkg_script_t)
')

@@ -317,6 +327,11 @@ optional_policy(`
')

optional_policy(`
+ systemd_read_logind_state(dpkg_script_t)
+ systemd_dbus_chat_logind(dpkg_script_t)
+')
+
+optional_policy(`
unconfined_domain(dpkg_script_t)
')

Index: refpolicy-2.20170216/policy/modules/admin/bootloader.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/admin/bootloader.te
+++ refpolicy-2.20170216/policy/modules/admin/bootloader.te
@@ -149,6 +149,11 @@ ifdef(`distro_debian',`
fstools_relabelto_entry_files(bootloader_t)

libs_relabelto_lib_files(bootloader_t)
+
+ # for apt-cache
+ dpkg_read_db(bootloader_t)
+ apt_read_db(bootloader_t)
+ apt_read_cache(bootloader_t)
')

ifdef(`distro_redhat',`
Index: refpolicy-2.20170216/policy/modules/system/init.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.if
+++ refpolicy-2.20170216/policy/modules/system/init.if
@@ -809,6 +809,42 @@ interface(`init_udp_send',`

########################################
## <summary>
+## start service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_system_start',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system start;
+')
+
+########################################
+## <summary>
+## stop service (systemd).
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_system_stop',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system stop;
+')
+
+########################################
+## <summary>
## Get all service status (systemd).
## </summary>
## <param name="domain">
@@ -2514,3 +2550,58 @@ interface(`init_reload_all_units',`

allow $1 systemdunit:service reload;
')
+
+########################################
+## <summary>
+## Start and stop init_script_file_type services
+## </summary>
+## <param name="domain">
+## <summary>
+## domain that can start and stop the services
+## </summary>
+## </param>
+#
+interface(`init_restart_script_service',`
+ gen_require(`
+ attribute init_script_file_type;
+ ')
+
+ allow $1 init_script_file_type:service { start status stop };
+')
+
+########################################
+## <summary>
+## Get the system status information from init
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`init_status',`
+ gen_require(`
+ type init_t;
+ ')
+
+ allow $1 init_t:system status;
+')
+
+########################################
+## <summary>
+## Allow manage service for initrc_exec_t scripts
+## </summary>
+## <param name="domain">
+## <summary>
+## Target domain
+## </summary>
+## </param>
+#
+interface(`initrc_manage_service',`
+ gen_require(`
+ type initrc_exec_t;
+ class service { status start stop };
+ ')
+
+ allow $1 initrc_exec_t:service { start stop status };
+')
Index: refpolicy-2.20170216/policy/modules/kernel/devices.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/kernel/devices.if
+++ refpolicy-2.20170216/policy/modules/kernel/devices.if
@@ -3260,6 +3260,26 @@ interface(`dev_create_null_dev',`

########################################
## <summary>
+## Manage services with script type null_device_t for when
+## /lib/systemd/system/something.service is a link to /dev/null
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain allowed access.
+## </summary>
+## </param>
+#
+interface(`dev_manage_null_service',`
+ gen_require(`
+ type null_device_t;
+ class service { status start stop reload };
+ ')
+
+ allow $1 null_device_t:service { status start stop reload };
+')
+
+########################################
+## <summary>
## Do not audit attempts to get the attributes
## of the BIOS non-volatile RAM device.
## </summary>
Index: refpolicy-2.20170216/policy/modules/system/systemd.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/systemd.if
+++ refpolicy-2.20170216/policy/modules/system/systemd.if
@@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`

allow $1 power_unit_t:service start;
')
+
+########################################
+## <summary>
+## Allow systemd_logind_t to read process state for cgroup file
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain systemd_logind_t may access.
+## </summary>
+## </param>
+#
+interface(`systemd_read_logind_state',`
+ gen_require(`
+ type systemd_logind_t;
+ ')
+
+ allow systemd_logind_t $1:dir list_dir_perms;
+ allow systemd_logind_t $1:file read_file_perms;
+')
Index: refpolicy-2.20170216/policy/modules/system/unconfined.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/unconfined.if
+++ refpolicy-2.20170216/policy/modules/system/unconfined.if
@@ -319,6 +319,23 @@ interface(`unconfined_run_to',`

########################################
## <summary>
+## Allow the specified domain to be in the unconfined role
+## </summary>
+## <param name="domain">
+## <summary>
+## Domain to permit in unconfined_r
+## </summary>
+## </param>
+#
+interface(`permit_in_unconfined_r',`
+ gen_require(`
+ role unconfined_r;
+ ')
+ role unconfined_r types $1;
+')
+
+########################################
+## <summary>
## Inherit file descriptors from the unconfined domain.
## </summary>
## <param name="domain">
Index: refpolicy-2.20170216/policy/modules/system/init.te
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/init.te
+++ refpolicy-2.20170216/policy/modules/system/init.te
@@ -277,8 +277,6 @@ ifdef(`init_systemd',`

term_relabel_pty_dirs(init_t)

- clock_read_adjtime(init_t)
-
logging_manage_pid_sockets(init_t)
logging_send_audit_msgs(init_t)
logging_relabelto_devlog_sock_files(init_t)
@@ -289,6 +287,10 @@ ifdef(`init_systemd',`
udev_create_kobject_uevent_sockets(init_t)

optional_policy(`
+ clock_read_adjtime(init_t)
+ ')
+
+ optional_policy(`
systemd_relabelto_kmod_files(init_t)
systemd_dbus_chat_logind(init_t)
')
Index: refpolicy-2.20170216/policy/modules/system/userdomain.if
===================================================================
--- refpolicy-2.20170216.orig/policy/modules/system/userdomain.if
+++ refpolicy-2.20170216/policy/modules/system/userdomain.if
@@ -674,6 +674,10 @@ template(`userdom_common_user_template',
')

optional_policy(`
+ dpkg_read_db($1_t)
+ ')
+
+ optional_policy(`
hwloc_exec_dhwd($1_t)
hwloc_read_runtime_files($1_t)
')


2017-02-19 21:14:23

by Chris PeBenito

[permalink] [raw]
Subject: [refpolicy] [PATCH] dpkg related patches version 2

On 02/15/17 22:18, Russell Coker via refpolicy wrote:
> Here is the latest version.

I've merged this but made some interface renames and moved a few lines
around.


> Index: refpolicy-2.20170216/policy/modules/contrib/dpkg.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/contrib/dpkg.te
> +++ refpolicy-2.20170216/policy/modules/contrib/dpkg.te
> @@ -38,6 +38,9 @@ domain_system_change_exemption(dpkg_scri
> domain_interactive_fd(dpkg_script_t)
> role dpkg_roles types dpkg_script_t;
>
> +spec_domtrans_pattern(dpkg_t, dpkg_var_lib_t, dpkg_script_t)
> +domain_entry_file(dpkg_script_t, dpkg_var_lib_t)
> +
> type dpkg_script_tmp_t;
> files_tmp_file(dpkg_script_tmp_t)
>
> @@ -84,8 +87,6 @@ files_var_lib_filetrans(dpkg_t, dpkg_var
> kernel_read_system_state(dpkg_t)
> kernel_read_kernel_sysctls(dpkg_t)
>
> -corecmd_exec_all_executables(dpkg_t)
> -
> corenet_all_recvfrom_unlabeled(dpkg_t)
> corenet_all_recvfrom_netlabel(dpkg_t)
> corenet_tcp_sendrecv_generic_if(dpkg_t)
> @@ -153,6 +154,7 @@ sysnet_read_config(dpkg_t)
>
> userdom_use_user_terminals(dpkg_t)
> userdom_use_unpriv_users_fds(dpkg_t)
> +userdom_use_all_users_fds(dpkg_t)
>
> dpkg_domtrans_script(dpkg_t)
>
> @@ -176,18 +178,10 @@ optional_policy(`
> unconfined_domain(dpkg_t)
> ')
>
> -# TODO: the following was copied from dpkg_script_t, and could probably
> -# be removed again when dpkg_script_t is actually used...
> -domain_signal_all_domains(dpkg_t)
> -domain_signull_all_domains(dpkg_t)
> -files_read_etc_runtime_files(dpkg_t)
> -files_exec_usr_files(dpkg_t)
> -miscfiles_read_localization(dpkg_t)
> -modutils_run_depmod(dpkg_t, dpkg_roles)
> -modutils_run_insmod(dpkg_t, dpkg_roles)
> -seutil_run_loadpolicy(dpkg_t, dpkg_roles)
> -seutil_run_setfiles(dpkg_t, dpkg_roles)
> -userdom_use_all_users_fds(dpkg_t)
> +optional_policy(`
> + modutils_run_depmod(dpkg_t, dpkg_roles)
> + modutils_run_insmod(dpkg_t, dpkg_roles)
> +')
>
> optional_policy(`
> mta_send_mail(dpkg_t)
> @@ -202,8 +196,8 @@ optional_policy(`
> # Script Local policy
> #
>
> -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod setgid setuid sys_chroot sys_nice };
> -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap };
> +allow dpkg_script_t self:capability { audit_write chown dac_override dac_read_search fowner fsetid ipc_lock kill mknod net_admin setfcap setgid setuid sys_chroot sys_nice sys_ptrace };
> +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap };
> allow dpkg_script_t self:fd use;
> allow dpkg_script_t self:fifo_file rw_fifo_file_perms;
> allow dpkg_script_t self:unix_dgram_socket create_socket_perms;
> @@ -214,6 +208,8 @@ allow dpkg_script_t self:shm create_shm_
> allow dpkg_script_t self:sem create_sem_perms;
> allow dpkg_script_t self:msgq create_msgq_perms;
> allow dpkg_script_t self:msg { send receive };
> +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay };
> +allow dpkg_script_t self:udp_socket create_socket_perms;
>
> allow dpkg_script_t dpkg_tmp_t:file read_file_perms;
>
> @@ -231,8 +227,10 @@ fs_tmpfs_filetrans(dpkg_script_t, dpkg_s
> kernel_read_kernel_sysctls(dpkg_script_t)
> kernel_read_system_state(dpkg_script_t)
>
> +auth_manage_shadow(dpkg_script_t)
> corecmd_exec_all_executables(dpkg_script_t)
>
> +dev_manage_null_service(dpkg_script_t)
> dev_list_sysfs(dpkg_script_t)
> # Use named file transition to fix this
> # dev_manage_generic_blk_files(dpkg_script_t)
> @@ -267,17 +265,26 @@ selinux_compute_access_vector(dpkg_scrip
> selinux_compute_create_context(dpkg_script_t)
> selinux_compute_relabel_context(dpkg_script_t)
> selinux_compute_user_contexts(dpkg_script_t)
> +selinux_read_policy(dpkg_script_t)
>
> storage_raw_read_fixed_disk(dpkg_script_t)
> storage_raw_write_fixed_disk(dpkg_script_t)
>
> term_use_all_terms(dpkg_script_t)
>
> -auth_dontaudit_getattr_shadow(dpkg_script_t)
> files_manage_non_auth_files(dpkg_script_t)
>
> init_all_labeled_script_domtrans(dpkg_script_t)
> +init_get_generic_units_status(dpkg_script_t)
> init_use_script_fds(dpkg_script_t)
> +init_status(dpkg_script_t)
> +init_start_generic_units(dpkg_script_t)
> +init_stop_generic_units(dpkg_script_t)
> +init_reload(dpkg_script_t)
> +init_system_stop(dpkg_script_t)
> +init_telinit(dpkg_script_t)
> +initrc_manage_service(dpkg_script_t)
> +init_restart_script_service(dpkg_script_t)
>
> libs_exec_ld_so(dpkg_script_t)
> libs_exec_lib_files(dpkg_script_t)
> @@ -287,13 +294,11 @@ logging_send_syslog_msg(dpkg_script_t)
>
> miscfiles_read_localization(dpkg_script_t)
>
> -modutils_run_depmod(dpkg_script_t, dpkg_roles)
> -modutils_run_insmod(dpkg_script_t, dpkg_roles)
> -
> seutil_run_loadpolicy(dpkg_script_t, dpkg_roles)
> seutil_run_setfiles(dpkg_script_t, dpkg_roles)
>
> userdom_use_all_users_fds(dpkg_script_t)
> +usermanage_run_passwd(dpkg_script_t, sysadm_r)
>
> tunable_policy(`allow_execmem',`
> allow dpkg_script_t self:process execmem;
> @@ -309,6 +314,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + modutils_run_depmod(dpkg_script_t, dpkg_roles)
> + modutils_run_insmod(dpkg_script_t, dpkg_roles)
> +')
> +
> +optional_policy(`
> mta_send_mail(dpkg_script_t)
> ')
>
> @@ -317,6 +327,11 @@ optional_policy(`
> ')
>
> optional_policy(`
> + systemd_read_logind_state(dpkg_script_t)
> + systemd_dbus_chat_logind(dpkg_script_t)
> +')
> +
> +optional_policy(`
> unconfined_domain(dpkg_script_t)
> ')
>
> Index: refpolicy-2.20170216/policy/modules/admin/bootloader.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/admin/bootloader.te
> +++ refpolicy-2.20170216/policy/modules/admin/bootloader.te
> @@ -149,6 +149,11 @@ ifdef(`distro_debian',`
> fstools_relabelto_entry_files(bootloader_t)
>
> libs_relabelto_lib_files(bootloader_t)
> +
> + # for apt-cache
> + dpkg_read_db(bootloader_t)
> + apt_read_db(bootloader_t)
> + apt_read_cache(bootloader_t)
> ')
>
> ifdef(`distro_redhat',`
> Index: refpolicy-2.20170216/policy/modules/system/init.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.if
> +++ refpolicy-2.20170216/policy/modules/system/init.if
> @@ -809,6 +809,42 @@ interface(`init_udp_send',`
>
> ########################################
> ## <summary>
> +## start service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_system_start',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system start;
> +')
> +
> +########################################
> +## <summary>
> +## stop service (systemd).
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_system_stop',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system stop;
> +')
> +
> +########################################
> +## <summary>
> ## Get all service status (systemd).
> ## </summary>
> ## <param name="domain">
> @@ -2514,3 +2550,58 @@ interface(`init_reload_all_units',`
>
> allow $1 systemdunit:service reload;
> ')
> +
> +########################################
> +## <summary>
> +## Start and stop init_script_file_type services
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## domain that can start and stop the services
> +## </summary>
> +## </param>
> +#
> +interface(`init_restart_script_service',`
> + gen_require(`
> + attribute init_script_file_type;
> + ')
> +
> + allow $1 init_script_file_type:service { start status stop };
> +')
> +
> +########################################
> +## <summary>
> +## Get the system status information from init
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`init_status',`
> + gen_require(`
> + type init_t;
> + ')
> +
> + allow $1 init_t:system status;
> +')
> +
> +########################################
> +## <summary>
> +## Allow manage service for initrc_exec_t scripts
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Target domain
> +## </summary>
> +## </param>
> +#
> +interface(`initrc_manage_service',`
> + gen_require(`
> + type initrc_exec_t;
> + class service { status start stop };
> + ')
> +
> + allow $1 initrc_exec_t:service { start stop status };
> +')
> Index: refpolicy-2.20170216/policy/modules/kernel/devices.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/kernel/devices.if
> +++ refpolicy-2.20170216/policy/modules/kernel/devices.if
> @@ -3260,6 +3260,26 @@ interface(`dev_create_null_dev',`
>
> ########################################
> ## <summary>
> +## Manage services with script type null_device_t for when
> +## /lib/systemd/system/something.service is a link to /dev/null
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain allowed access.
> +## </summary>
> +## </param>
> +#
> +interface(`dev_manage_null_service',`
> + gen_require(`
> + type null_device_t;
> + class service { status start stop reload };
> + ')
> +
> + allow $1 null_device_t:service { status start stop reload };
> +')
> +
> +########################################
> +## <summary>
> ## Do not audit attempts to get the attributes
> ## of the BIOS non-volatile RAM device.
> ## </summary>
> Index: refpolicy-2.20170216/policy/modules/system/systemd.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/systemd.if
> +++ refpolicy-2.20170216/policy/modules/system/systemd.if
> @@ -190,3 +190,22 @@ interface(`systemd_start_power_units',`
>
> allow $1 power_unit_t:service start;
> ')
> +
> +########################################
> +## <summary>
> +## Allow systemd_logind_t to read process state for cgroup file
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain systemd_logind_t may access.
> +## </summary>
> +## </param>
> +#
> +interface(`systemd_read_logind_state',`
> + gen_require(`
> + type systemd_logind_t;
> + ')
> +
> + allow systemd_logind_t $1:dir list_dir_perms;
> + allow systemd_logind_t $1:file read_file_perms;
> +')
> Index: refpolicy-2.20170216/policy/modules/system/unconfined.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/unconfined.if
> +++ refpolicy-2.20170216/policy/modules/system/unconfined.if
> @@ -319,6 +319,23 @@ interface(`unconfined_run_to',`
>
> ########################################
> ## <summary>
> +## Allow the specified domain to be in the unconfined role
> +## </summary>
> +## <param name="domain">
> +## <summary>
> +## Domain to permit in unconfined_r
> +## </summary>
> +## </param>
> +#
> +interface(`permit_in_unconfined_r',`
> + gen_require(`
> + role unconfined_r;
> + ')
> + role unconfined_r types $1;
> +')

This hunk was dropped (it wasn't used anyway).

> +########################################
> +## <summary>
> ## Inherit file descriptors from the unconfined domain.
> ## </summary>
> ## <param name="domain">
> Index: refpolicy-2.20170216/policy/modules/system/init.te
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/init.te
> +++ refpolicy-2.20170216/policy/modules/system/init.te
> @@ -277,8 +277,6 @@ ifdef(`init_systemd',`
>
> term_relabel_pty_dirs(init_t)
>
> - clock_read_adjtime(init_t)
> -
> logging_manage_pid_sockets(init_t)
> logging_send_audit_msgs(init_t)
> logging_relabelto_devlog_sock_files(init_t)
> @@ -289,6 +287,10 @@ ifdef(`init_systemd',`
> udev_create_kobject_uevent_sockets(init_t)
>
> optional_policy(`
> + clock_read_adjtime(init_t)
> + ')
> +
> + optional_policy(`
> systemd_relabelto_kmod_files(init_t)
> systemd_dbus_chat_logind(init_t)
> ')
> Index: refpolicy-2.20170216/policy/modules/system/userdomain.if
> ===================================================================
> --- refpolicy-2.20170216.orig/policy/modules/system/userdomain.if
> +++ refpolicy-2.20170216/policy/modules/system/userdomain.if
> @@ -674,6 +674,10 @@ template(`userdom_common_user_template',
> ')
>
> optional_policy(`
> + dpkg_read_db($1_t)
> + ')
> +
> + optional_policy(`
> hwloc_exec_dhwd($1_t)
> hwloc_read_runtime_files($1_t)
> ')
> _______________________________________________
> refpolicy mailing list
> refpolicy at oss.tresys.com
> http://oss.tresys.com/mailman/listinfo/refpolicy
>


--
Chris PeBenito