From: russell@coker.com.au (Russell Coker) Date: Wed, 3 Aug 2016 16:38:59 +1000 Subject: [refpolicy] [PATCH] strict mode policy Message-ID: <20160803063859.gwyuqvqfkdrio3oq@athena.coker.com.au> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The following patch contains the changes that I needed to get a Debian system running correctly in a "strict" configuration, IE the unconfined module is not loaded. diff -ru /home/rjc/src/pol-git/policy/modules/admin/usermanage.te ./policy/modules/admin/usermanage.te --- /home/rjc/src/pol-git/policy/modules/admin/usermanage.te 2016-07-28 20:33:39.959961616 +1000 +++ ./policy/modules/admin/usermanage.te 2016-08-03 16:11:44.366831728 +1000 @@ -189,7 +189,7 @@ # Groupadd local policy # -allow groupadd_t self:capability { dac_override chown kill setuid sys_resource audit_write }; +allow groupadd_t self:capability { dac_override fsetid chown kill setuid sys_resource audit_write }; dontaudit groupadd_t self:capability { fsetid sys_tty_config }; allow groupadd_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execheap execstack }; allow groupadd_t self:process { setrlimit setfscreate }; diff -ru /home/rjc/src/pol-git/policy/modules/contrib/apt.te ./policy/modules/contrib/apt.te --- /home/rjc/src/pol-git/policy/modules/contrib/apt.te 2016-07-30 08:14:41.073649232 +1000 +++ ./policy/modules/contrib/apt.te 2016-08-03 16:11:44.362831615 +1000 @@ -69,6 +69,7 @@ fs_tmpfs_filetrans(apt_t, apt_tmpfs_t, { dir file lnk_file sock_file fifo_file }) manage_files_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) +manage_dirs_pattern(apt_t, apt_var_cache_t, apt_var_cache_t) files_var_filetrans(apt_t, apt_var_cache_t, dir) manage_files_pattern(apt_t, apt_var_lib_t, apt_var_lib_t) @@ -76,6 +77,7 @@ allow apt_t apt_var_log_t:file manage_file_perms; logging_log_filetrans(apt_t, apt_var_log_t, file) +allow apt_t apt_var_log_t:dir list_dir_perms; can_exec(apt_t, apt_exec_t) diff -ru /home/rjc/src/pol-git/policy/modules/contrib/cron.te ./policy/modules/contrib/cron.te --- /home/rjc/src/pol-git/policy/modules/contrib/cron.te 2016-07-30 08:14:41.089649654 +1000 +++ ./policy/modules/contrib/cron.te 2016-08-03 16:11:44.362831615 +1000 @@ -709,6 +709,7 @@ type unconfined_cronjob_t; domain_type(unconfined_cronjob_t) domain_cron_exemption_target(unconfined_cronjob_t) +role system_r types unconfined_cronjob_t; dontaudit crond_t unconfined_cronjob_t:process { noatsecure siginh rlimitinh }; diff -ru /home/rjc/src/pol-git/policy/modules/contrib/dpkg.te ./policy/modules/contrib/dpkg.te --- /home/rjc/src/pol-git/policy/modules/contrib/dpkg.te 2016-07-30 08:14:41.097649866 +1000 +++ ./policy/modules/contrib/dpkg.te 2016-08-03 16:16:31.978933663 +1000 @@ -69,6 +69,7 @@ manage_dirs_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) manage_files_pattern(dpkg_t, dpkg_tmp_t, dpkg_tmp_t) files_tmp_filetrans(dpkg_t, dpkg_tmp_t, { file dir }) +can_exec(dpkg_t, dpkg_tmp_t) manage_dirs_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) manage_files_pattern(dpkg_t, dpkg_tmpfs_t, dpkg_tmpfs_t) @@ -84,6 +85,9 @@ kernel_read_system_state(dpkg_t) kernel_read_kernel_sysctls(dpkg_t) +# for dpkg-preconfigure +kernel_request_load_module(dpkg_t) + corecmd_exec_all_executables(dpkg_t) corenet_all_recvfrom_unlabeled(dpkg_t) @@ -202,8 +206,8 @@ # Script Local policy # -allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid setgid setuid ipc_lock sys_chroot sys_nice mknod kill }; -allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setfscreate setrlimit execmem execstack execheap }; +allow dpkg_script_t self:capability { chown dac_override dac_read_search fowner fsetid kill setgid setuid net_admin ipc_lock sys_ptrace sys_chroot sys_nice mknod audit_write setfcap }; +allow dpkg_script_t self:process ~{ ptrace setcurrent setexec setrlimit execmem execstack execheap }; allow dpkg_script_t self:fd use; allow dpkg_script_t self:fifo_file rw_fifo_file_perms; allow dpkg_script_t self:unix_dgram_socket create_socket_perms; @@ -214,6 +218,8 @@ allow dpkg_script_t self:sem create_sem_perms; allow dpkg_script_t self:msgq create_msgq_perms; allow dpkg_script_t self:msg { send receive }; +allow dpkg_script_t self:netlink_audit_socket { create_netlink_socket_perms nlmsg_relay }; +allow dpkg_script_t self:udp_socket create_socket_perms; allow dpkg_script_t dpkg_tmp_t:file read_file_perms; @@ -228,8 +234,11 @@ allow dpkg_script_t dpkg_script_tmpfs_t:fifo_file manage_fifo_file_perms; fs_tmpfs_filetrans(dpkg_script_t, dpkg_script_tmpfs_t, { dir file lnk_file sock_file fifo_file }) +usermanage_domtrans_passwd(dpkg_script_t) + kernel_read_kernel_sysctls(dpkg_script_t) kernel_read_system_state(dpkg_script_t) +auth_manage_shadow(dpkg_script_t) corecmd_exec_all_executables(dpkg_script_t) @@ -267,13 +276,13 @@ selinux_compute_create_context(dpkg_script_t) selinux_compute_relabel_context(dpkg_script_t) selinux_compute_user_contexts(dpkg_script_t) +selinux_read_policy(dpkg_script_t) storage_raw_read_fixed_disk(dpkg_script_t) storage_raw_write_fixed_disk(dpkg_script_t) term_use_all_terms(dpkg_script_t) -auth_dontaudit_getattr_shadow(dpkg_script_t) files_manage_non_auth_files(dpkg_script_t) init_all_labeled_script_domtrans(dpkg_script_t) diff -ru /home/rjc/src/pol-git/policy/modules/contrib/gnome.if ./policy/modules/contrib/gnome.if --- /home/rjc/src/pol-git/policy/modules/contrib/gnome.if 2016-07-30 08:14:41.105650077 +1000 +++ ./policy/modules/contrib/gnome.if 2016-08-03 16:11:44.362831615 +1000 @@ -76,6 +76,8 @@ allow $3 { gconf_home_t gconf_tmp_t }:dir { manage_dir_perms relabel_dir_perms }; allow $3 { gconf_home_t gconf_tmp_t }:file { manage_file_perms relabel_file_perms }; + allow $3 gconfd_t:dbus send_msg; + allow gconfd_t $3:dbus send_msg; userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconf") userdom_user_home_dir_filetrans($3, gconf_home_t, dir, ".gconfd") diff -ru /home/rjc/src/pol-git/policy/modules/contrib/mta.if ./policy/modules/contrib/mta.if --- /home/rjc/src/pol-git/policy/modules/contrib/mta.if 2016-07-30 08:14:41.121650499 +1000 +++ ./policy/modules/contrib/mta.if 2016-08-03 16:11:44.358831503 +1000 @@ -121,6 +121,23 @@ ######################################## ## +## Enable system_mail_t to run in the specified role +## +## +## +## Role allowed access. +## +## +# +interface(`system_mail_role',` + gen_require(` + type system_mail_t; + ') + role $1 types system_mail_t; +') + +######################################## +## ## Make the specified domain usable for a mail server. ## ## diff -ru /home/rjc/src/pol-git/policy/modules/kernel/corecommands.fc ./policy/modules/kernel/corecommands.fc --- /home/rjc/src/pol-git/policy/modules/kernel/corecommands.fc 2016-07-28 20:33:39.959961616 +1000 +++ ./policy/modules/kernel/corecommands.fc 2016-08-03 16:11:44.366831728 +1000 @@ -335,6 +335,7 @@ /usr/lib/ConsoleKit/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/gdm3/.* -- gen_context(system_u:object_r:bin_t,s0) /usr/lib/udisks/.* -- gen_context(system_u:object_r:bin_t,s0) +/usr/share/bug/.* -- gen_context(system_u:object_r:bin_t,s0) ') ifdef(`distro_gentoo', ` diff -ru /home/rjc/src/pol-git/policy/modules/kernel/devices.if ./policy/modules/kernel/devices.if --- /home/rjc/src/pol-git/policy/modules/kernel/devices.if 2016-07-28 20:33:39.959961616 +1000 +++ ./policy/modules/kernel/devices.if 2016-08-03 16:11:44.366831728 +1000 @@ -5046,3 +5046,21 @@ typeattribute $1 devices_unconfined_type; ') + +######################################## +## +## Create subdir of /dev +## +## +## +## Domain allowed access. +## +## +# +interface(`dev_create_subdir',` + gen_require(` + type device_t; + ') + allow $1 device_t:dir { add_entry_dir_perms create }; + allow $1 device_t:dir search_dir_perms; +') diff -ru /home/rjc/src/pol-git/policy/modules/kernel/files.if ./policy/modules/kernel/files.if --- /home/rjc/src/pol-git/policy/modules/kernel/files.if 2016-07-28 20:33:39.963961720 +1000 +++ ./policy/modules/kernel/files.if 2016-08-03 16:11:44.366831728 +1000 @@ -3194,6 +3194,26 @@ ######################################## ## +## Relabel files and dirs to etc_runtime_t +## +## +## +## Domain allowed access. +## +## +## +# +interface(`files_relabelto_etc_runtime',` + gen_require(` + type etc_runtime_t; + ') + + allow $1 etc_runtime_t:file relabelto; + allow $1 etc_runtime_t:dir relabelto; +') + +######################################## +## ## Create, etc runtime objects with an automatic ## type transition. ## @@ -6095,6 +6115,24 @@ ') ######################################## +## +## Create a /var/run directory. +## +## +## +## Domain allowed access. +## +## +# +interface(`files_create_pid_dir',` + gen_require(` + type var_run_t; + ') + + allow $1 var_run_t:dir create_dir_perms; +') + +######################################## ## ## Search the contents of runtime process ## ID directories (/var/run). diff -ru /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if ./policy/modules/kernel/filesystem.if --- /home/rjc/src/pol-git/policy/modules/kernel/filesystem.if 2016-07-28 20:33:39.963961720 +1000 +++ ./policy/modules/kernel/filesystem.if 2016-08-03 16:19:16.127550295 +1000 @@ -767,6 +767,42 @@ ######################################## ## +## Relabel pstore directories. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabel_pstore_dirs',` + gen_require(` + type pstore_t; + ') + + relabel_dirs_pattern($1, pstore_t, pstore_t) +') + +######################################## +## +## Get the attributes of a pstore filesystem. +## +## +## +## Domain allowed access. +## +## +# +interface(`getattr_pstorefs',` + gen_require(` + type pstore_t; + ') + +allow $1 pstore_t:filesystem getattr; +') + +######################################## +## ## Relabel cgroup directories. ## ## @@ -806,6 +842,26 @@ ######################################## ## +## Create cgroup lnk_files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_create_cgroup_links',` + gen_require(` + type cgroup_t; + ') + + create_lnk_files_pattern($1, cgroup_t, cgroup_t) + rw_lnk_files_pattern($1, cgroup_t, cgroup_t) + dev_search_sysfs($1) +') + +######################################## +## ## Write cgroup files. ## ## @@ -836,7 +892,6 @@ interface(`fs_rw_cgroup_files',` gen_require(` type cgroup_t; - ') rw_files_pattern($1, cgroup_t, cgroup_t) @@ -4351,6 +4406,24 @@ ') ######################################## +## +## Relabelfrom tmpfs link files. +## +## +## +## Domain allowed access. +## +## +# +interface(`fs_relabelfrom_tmpfs_symlinks',` + gen_require(` + type tmpfs_t; + ') + + allow $1 tmpfs_t:lnk_file { getattr relabelfrom }; +') + +######################################## ## ## Read and write character nodes on tmpfs filesystems. ## diff -ru /home/rjc/src/pol-git/policy/modules/kernel/kernel.te ./policy/modules/kernel/kernel.te --- /home/rjc/src/pol-git/policy/modules/kernel/kernel.te 2016-07-28 20:33:39.963961720 +1000 +++ ./policy/modules/kernel/kernel.te 2016-08-03 16:11:44.354831390 +1000 @@ -269,6 +269,15 @@ dev_delete_generic_chr_files(kernel_t) dev_mounton(kernel_t) +ifdef(`distro_debian',` + # for systemd access to /run before transition + fs_search_tmpfs(kernel_t) + # also for systemd before transition + selinux_compute_create_context(kernel_t) + kernel_read_unlabeled_state(kernel_t) +') + + # Mount root file system. Used when loading a policy # from initrd, then mounting the root filesystem fs_mount_all_fs(kernel_t) diff -ru /home/rjc/src/pol-git/policy/modules/roles/sysadm.te ./policy/modules/roles/sysadm.te --- /home/rjc/src/pol-git/policy/modules/roles/sysadm.te 2016-07-28 20:33:39.963961720 +1000 +++ ./policy/modules/roles/sysadm.te 2016-08-03 16:11:44.354831390 +1000 @@ -44,6 +44,8 @@ init_stop_generic_units(sysadm_t) init_reload_generic_units(sysadm_t) +selinux_read_policy(sysadm_t) + # Add/remove user home directories userdom_manage_user_home_dirs(sysadm_t) userdom_home_filetrans_user_home_dir(sysadm_t) @@ -103,6 +105,10 @@ ') optional_policy(` + system_mail_role(sysadm_r) +') + +optional_policy(` amanda_run_recover(sysadm_t, sysadm_r) ') diff -ru /home/rjc/src/pol-git/policy/modules/services/ssh.if ./policy/modules/services/ssh.if --- /home/rjc/src/pol-git/policy/modules/services/ssh.if 2016-07-28 20:33:39.967961825 +1000 +++ ./policy/modules/services/ssh.if 2016-08-03 16:11:44.362831615 +1000 @@ -349,6 +349,8 @@ allow $1_ssh_agent_t self:process { setrlimit signal }; allow $1_ssh_agent_t self:capability setgid; + allow $1_ssh_agent_t self:fifo_file rw_file_perms; + allow $1_ssh_agent_t { $1_ssh_agent_t $3 }:process signull; allow $1_ssh_agent_t self:unix_stream_socket { create_stream_socket_perms connectto }; @@ -432,6 +434,7 @@ optional_policy(` xserver_use_xdm_fds($1_ssh_agent_t) xserver_rw_xdm_pipes($1_ssh_agent_t) + xdm_sigchld($1_ssh_agent_t) ') ') diff -ru /home/rjc/src/pol-git/policy/modules/services/xserver.te ./policy/modules/services/xserver.te --- /home/rjc/src/pol-git/policy/modules/services/xserver.te 2016-07-28 20:33:39.967961825 +1000 +++ ./policy/modules/services/xserver.te 2016-08-03 16:11:44.362831615 +1000 @@ -260,6 +260,7 @@ allow xdm_t xauth_home_t:file manage_file_perms; userdom_user_home_dir_filetrans(xdm_t, xauth_home_t, file) +userdom_user_home_dir_filetrans(xdm_t, user_home_t, file, ".xsession-errors") kernel_request_load_module(xauth_t) diff -ru /home/rjc/src/pol-git/policy/modules/system/fstools.if ./policy/modules/system/fstools.if --- /home/rjc/src/pol-git/policy/modules/system/fstools.if 2016-07-28 20:33:39.967961825 +1000 +++ ./policy/modules/system/fstools.if 2016-08-03 16:11:44.366831728 +1000 @@ -172,3 +172,21 @@ allow $1 swapfile_t:file getattr; ') + +######################################## +## +## Write to fsadm_log_t +## +## +## +## Domain allowed access. +## +## +# +interface(`fstools_write_log',` + gen_require(` + type fsadm_log_t; + ') + + allow $1 fsadm_log_t:file write_file_perms; +') diff -ru /home/rjc/src/pol-git/policy/modules/system/init.te ./policy/modules/system/init.te --- /home/rjc/src/pol-git/policy/modules/system/init.te 2016-07-28 20:33:39.967961825 +1000 +++ ./policy/modules/system/init.te 2016-08-03 16:31:49.272457522 +1000 @@ -125,9 +125,15 @@ allow init_t initrc_t:unix_stream_socket connectto; # For /var/run/shutdown.pid. +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; allow init_t init_var_run_t:file manage_file_perms; files_pid_filetrans(init_t, init_var_run_t, file) +# for /run/initctl +allow init_t init_var_run_t:fifo_file manage_fifo_file_perms; + +allow init_t init_var_run_t:lnk_file manage_lnk_file_perms; + allow init_t initctl_t:fifo_file manage_fifo_file_perms; dev_filetrans(init_t, initctl_t, fifo_file) @@ -138,12 +144,18 @@ kernel_share_state(init_t) kernel_dontaudit_search_unlabeled(init_t) +domain_read_all_domains_state(init_t) + corecmd_exec_chroot(init_t) corecmd_exec_bin(init_t) dev_read_sysfs(init_t) +fs_relabel_pstore_dirs(init_t) +dev_read_urand(init_t) + # Early devtmpfs dev_rw_generic_chr_files(init_t) +dev_relabel_generic_symlinks(init_t) domain_getpgid_all_domains(init_t) domain_kill_all_domains(init_t) @@ -156,6 +168,9 @@ files_rw_generic_pids(init_t) files_manage_etc_runtime_files(init_t) files_etc_filetrans_etc_runtime(init_t, file) +files_relabelto_etc_runtime(init_t) +files_list_usr(init_t) + # Run /etc/X11/prefdm: files_exec_etc_files(init_t) # file descriptors inherited from the rootfs: @@ -282,6 +297,9 @@ # udevd is a "systemd kobject uevent socket activated daemon" udev_create_kobject_uevent_sockets(init_t) + # for systemd to read udev status + udev_read_pid_files(init_t) + optional_policy(` systemd_relabelto_kmod_files(init_t) @@ -306,11 +324,21 @@ ') ') +fs_relabelfrom_tmpfs_symlinks(init_t) + ifdef(`distro_debian',` fs_tmpfs_filetrans(init_t, initctl_t, fifo_file, "initctl") allow init_t initrc_var_run_t:file manage_file_perms; fs_tmpfs_filetrans(init_t, initrc_var_run_t, file, "utmp") + fs_manage_tmpfs_files(initrc_t) + sysnet_write_config(initrc_t) + sysnet_create_config(initrc_t) + sysnet_manage_config(initrc_t) + + optional_policy(` + postfix_read_config(initrc_t) + ') ') ifdef(`distro_gentoo',` @@ -326,6 +354,12 @@ ') optional_policy(` + modutils_read_module_config(init_t) + modutils_read_module_deps(init_t) + modutils_read_module_objects(init_t) +') + +optional_policy(` auth_rw_login_records(init_t) ') @@ -374,6 +408,9 @@ # Going to single user mode init_telinit(initrc_t) +# for logsave in strict configuration +fstools_write_log(initrc_t) + can_exec(initrc_t, init_script_file_type) create_dirs_pattern(initrc_t, daemonpidfile, daemonpidfile) @@ -393,6 +430,8 @@ allow initrc_t initrc_var_run_t:file manage_file_perms; files_pid_filetrans(initrc_t, initrc_var_run_t, file) +files_create_pid_dir(initrc_t) +files_setattr_pid_dirs(initrc_t) can_exec(initrc_t, initrc_tmp_t) manage_files_pattern(initrc_t, initrc_tmp_t, initrc_tmp_t) @@ -439,6 +478,7 @@ corenet_tcp_connect_all_ports(initrc_t) corenet_sendrecv_all_client_packets(initrc_t) +dev_create_subdir(initrc_t) dev_read_rand(initrc_t) dev_read_urand(initrc_t) dev_write_kmsg(initrc_t) @@ -726,6 +766,7 @@ ') ifdef(`init_systemd',` + kernel_load_module(init_t) manage_files_pattern(initrc_t, initrc_lock_t, initrc_lock_t) files_lock_filetrans(initrc_t, initrc_lock_t, file) diff -ru /home/rjc/src/pol-git/policy/modules/system/libraries.fc ./policy/modules/system/libraries.fc --- /home/rjc/src/pol-git/policy/modules/system/libraries.fc 2016-08-03 10:37:38.716348544 +1000 +++ ./policy/modules/system/libraries.fc 2016-08-03 16:11:44.362831615 +1000 @@ -91,7 +91,11 @@ # # /sbin # +ifdef(`distro_debian',` +/sbin/ldconfig.real -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +',` /sbin/ldconfig -- gen_context(system_u:object_r:ldconfig_exec_t,s0) +') # # /usr diff -ru /home/rjc/src/pol-git/policy/modules/system/modutils.if ./policy/modules/system/modutils.if --- /home/rjc/src/pol-git/policy/modules/system/modutils.if 2016-07-28 20:33:39.971961928 +1000 +++ ./policy/modules/system/modutils.if 2016-08-03 16:11:44.358831503 +1000 @@ -39,6 +39,25 @@ ######################################## ## +## Read the kernel modules. +## +## +## +## Domain allowed access. +## +## +# +interface(`modutils_read_module_objects',` + gen_require(` + type modules_object_t; + ') + + files_list_kernel_modules($1) + allow $1 modules_object_t:file read_file_perms; +') + +######################################## +## ## Read the configuration options used when ## loading modules. ## diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc ./policy/modules/system/selinuxutil.fc --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.fc 2016-07-28 20:33:39.971961928 +1000 +++ ./policy/modules/system/selinuxutil.fc 2016-08-03 16:11:44.366831728 +1000 @@ -25,6 +25,7 @@ /sbin/load_policy -- gen_context(system_u:object_r:load_policy_exec_t,s0) /sbin/restorecon -- gen_context(system_u:object_r:setfiles_exec_t,s0) /sbin/setfiles.* -- gen_context(system_u:object_r:setfiles_exec_t,s0) +/usr/bin/dpkg-statoverride -- gen_context(system_u:object_r:setfiles_exec_t,s0) # # /usr diff -ru /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te ./policy/modules/system/selinuxutil.te --- /home/rjc/src/pol-git/policy/modules/system/selinuxutil.te 2016-07-28 20:33:39.971961928 +1000 +++ ./policy/modules/system/selinuxutil.te 2016-08-03 16:11:44.362831615 +1000 @@ -192,6 +192,7 @@ userdom_use_user_terminals(load_policy_t) userdom_use_all_users_fds(load_policy_t) +dev_read_urand(load_policy_t) ifdef(`distro_ubuntu',` optional_policy(` @@ -324,6 +325,8 @@ kernel_use_fds(restorecond_t) kernel_rw_pipes(restorecond_t) kernel_read_system_state(restorecond_t) +kernel_getattr_debugfs(restorecond_t) +getattr_pstorefs(restorecond_t) fs_relabelfrom_noxattr_fs(restorecond_t) fs_dontaudit_list_nfs(restorecond_t) @@ -455,6 +458,7 @@ kernel_read_kernel_sysctls(semanage_t) corecmd_exec_bin(semanage_t) +corecmd_exec_shell(semanage_t) dev_read_urand(semanage_t) @@ -537,6 +541,8 @@ kernel_rw_unix_dgram_sockets(setfiles_t) kernel_dontaudit_list_all_proc(setfiles_t) kernel_dontaudit_list_all_sysctls(setfiles_t) +kernel_getattr_debugfs(setfiles_t) +getattr_pstorefs(setfiles_t) dev_relabel_all_dev_nodes(setfiles_t) # to handle when /dev/console needs to be relabeled @@ -598,6 +604,11 @@ fs_rw_tmpfs_chr_files(setfiles_t) ') +# for dpkg-statoverride running as setfiles_t +optional_policy(` + dpkg_read_db(setfiles_t) +') + ifdef(`distro_redhat', ` fs_rw_tmpfs_chr_files(setfiles_t) fs_rw_tmpfs_blk_files(setfiles_t) diff -ru /home/rjc/src/pol-git/policy/modules/system/userdomain.if ./policy/modules/system/userdomain.if --- /home/rjc/src/pol-git/policy/modules/system/userdomain.if 2016-08-03 10:37:38.724348763 +1000 +++ ./policy/modules/system/userdomain.if 2016-08-03 16:11:44.362831615 +1000 @@ -67,6 +67,7 @@ dontaudit $1_t user_tty_device_t:chr_file ioctl; kernel_read_kernel_sysctls($1_t) + kernel_read_vm_sysctls($1_t) kernel_dontaudit_list_unlabeled($1_t) kernel_dontaudit_getattr_unlabeled_files($1_t) kernel_dontaudit_getattr_unlabeled_symlinks($1_t) @@ -78,6 +79,12 @@ dev_dontaudit_getattr_all_blk_files($1_t) dev_dontaudit_getattr_all_chr_files($1_t) + # for X session unlock + allow $1_t self:netlink_audit_socket { create_socket_perms nlmsg_relay }; + + # for KDE + allow $1_t self:netlink_kobject_uevent_socket connected_socket_perms; + # When the user domain runs ps, there will be a number of access # denials when ps tries to search /proc. Do not audit these denials. domain_dontaudit_read_all_domains_state($1_t) @@ -108,6 +115,14 @@ sysnet_read_config($1_t) + # kdeinit wants systemd status + init_status($1_t) + + optional_policy(` + apt_read_cache($1_t) + apt_read_db($1_t) + ') + tunable_policy(`allow_execmem',` # Allow loading DSOs that require executable stack. allow $1_t self:process execmem; diff -ru /home/rjc/src/pol-git/policy/modules/system/userdomain.te ./policy/modules/system/userdomain.te --- /home/rjc/src/pol-git/policy/modules/system/userdomain.te 2016-08-03 10:37:38.724348763 +1000 +++ ./policy/modules/system/userdomain.te 2016-08-03 16:11:44.362831615 +1000 @@ -53,6 +53,10 @@ # all user domains attribute userdomain; +ifdef(`distro_debian', ` + dpkg_read_db(userdomain) +') + # unprivileged user domains attribute unpriv_userdomain; diff -ru /home/rjc/src/pol-git/policy/support/file_patterns.spt ./policy/support/file_patterns.spt --- /home/rjc/src/pol-git/policy/support/file_patterns.spt 2016-07-28 20:33:39.971961928 +1000 +++ ./policy/support/file_patterns.spt 2016-08-03 16:11:44.366831728 +1000 @@ -489,7 +489,7 @@ define(`create_chr_files_pattern',` allow $1 self:capability mknod; allow $1 $2:dir add_entry_dir_perms; - allow $1 $3:chr_file create_chr_file_perms; + allow $1 $3:chr_file { create_chr_file_perms setattr }; ') define(`delete_chr_files_pattern',`